From 8e9b44ad2957c01ef5ee92e800da961614667814 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 15:14:07 +1100 Subject: [PATCH 01/36] added Az Policy and RBAC Modules --- .../.bicep/nested_policyAssignments_mg.bicep | 27 ++ .../.bicep/nested_policyAssignments_rg.bicep | 28 +++ .../.bicep/nested_policyAssignments_sub.bicep | 27 ++ .../policyAssignments/deploy.bicep | 119 +++++++++ .../parameters/parameters.json | 12 +- .../.bicep/nested_policyDefinitions_mg.bicep | 15 ++ .../.bicep/nested_policyDefinitions_sub.bicep | 15 ++ .../policyDefinitions/deploy.bicep | 84 +++++++ .../parameters/parameters.json | 56 +++++ .../.bicep/nested_policyExemptions_mg.bicep | 13 + .../.bicep/nested_policyExemptions_rg.bicep | 14 ++ .../.bicep/nested_policyExemptions_sub.bicep | 13 + .../policyExemptions/deploy.bicep | 84 +++++++ .../parameters/parameters.json | 29 +++ .../nested_policySetDefinition_mg.bicep | 11 + .../nested_policySetDefinition_sub.bicep | 11 + .../policySetDefinitions/deploy.bicep | 63 +++++ .../parameters/parameters.json | 67 +++++ .../.bicep/nested_roleAssignments_mg.bicep | 16 ++ .../.bicep/nested_roleAssignments_rg.bicep | 17 ++ .../.bicep/nested_roleAssignments_sub.bicep | 16 ++ .../roleAssignments/deploy.bicep | 233 ++++++++++++++++++ .../parameters/parameters.json | 54 +--- .../.bicep/nested_roleDefinitions_mg.bicep | 33 +++ .../.bicep/nested_roleDefinitions_rg.bicep | 34 +++ .../.bicep/nested_roleDefinitions_sub.bicep | 33 +++ .../roleDefinitions/deploy.bicep | 80 ++++++ .../parameters/parameters.json | 9 +- .../roleDefinitions/readme.md | 80 ++++-- 29 files changed, 1225 insertions(+), 68 deletions(-) create mode 100644 arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep create mode 100644 arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep create mode 100644 arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep create mode 100644 arm/Microsoft.Authorization/policyAssignments/deploy.bicep create mode 100644 arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep create mode 100644 arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep create mode 100644 arm/Microsoft.Authorization/policyDefinitions/deploy.bicep create mode 100644 arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json create mode 100644 arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep create mode 100644 arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep create mode 100644 arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep create mode 100644 arm/Microsoft.Authorization/policyExemptions/deploy.bicep create mode 100644 arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json create mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep create mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep create mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep create mode 100644 arm/Microsoft.Authorization/roleAssignments/deploy.bicep create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep create mode 100644 arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep create mode 100644 arm/Microsoft.Authorization/roleDefinitions/deploy.bicep diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep new file mode 100644 index 0000000000..261a89610c --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep @@ -0,0 +1,27 @@ +targetScope = 'managementGroup' +param policyAssignmentName string +param policyAssignmentProperties object +param managementGroupId string +param policyAssignmentIdentity object = { + type: 'systemAssigned' +} +param location string = deployment().location +param roleDefinitionIds array = [] + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { + name: policyAssignmentName + location: location + properties: policyAssignmentProperties + identity: policyAssignmentIdentity +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && !empty(policyAssignmentIdentity)) { + name: guid(managementGroupId, roleDefinitionId, location, policyAssignmentName) + properties: { + roleDefinitionId: roleDefinitionId + principalId: policyAssignment.identity.principalId + } +}] + +output policyAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyAssignments', policyAssignment.name) +output policyAssignmentPrincipalId string = (policyAssignmentIdentity.type == 'SystemAssigned') ? policyAssignment.identity.principalId : '' diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep new file mode 100644 index 0000000000..925314dc6e --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep @@ -0,0 +1,28 @@ +targetScope = 'resourceGroup' +param policyAssignmentName string +param policyAssignmentProperties object +param resourceGroupName string +param policyAssignmentIdentity object = { + type: 'systemAssigned' +} +param location string = resourceGroup().location +param subscriptionId string +param roleDefinitionIds array = [] + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { + name: policyAssignmentName + location: location + properties: policyAssignmentProperties + identity: policyAssignmentIdentity +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && !empty(policyAssignmentIdentity)) { + name: guid(subscriptionId, resourceGroupName, roleDefinitionId, location, policyAssignmentName) + properties: { + roleDefinitionId: roleDefinitionId + principalId: policyAssignment.identity.principalId + } +}] + +output policyAssignmentId string = resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) +output policyAssignmentPrincipalId string = (policyAssignmentIdentity.type == 'SystemAssigned') ? policyAssignment.identity.principalId : '' diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep new file mode 100644 index 0000000000..1feb96c33b --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep @@ -0,0 +1,27 @@ +targetScope = 'subscription' +param policyAssignmentName string +param policyAssignmentProperties object +param subscriptionId string +param policyAssignmentIdentity object = { + type: 'systemAssigned' +} +param location string = deployment().location +param roleDefinitionIds array = [] + +resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { + name: policyAssignmentName + location: location + properties: policyAssignmentProperties + identity: policyAssignmentIdentity +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && !empty(policyAssignmentIdentity)) { + name: guid(subscriptionId, roleDefinitionId, location, policyAssignmentName) + properties: { + roleDefinitionId: roleDefinitionId + principalId: policyAssignment.identity.principalId + } +}] + +output policyAssignmentId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policySetDefinitions', policyAssignment.name) +output policyAssignmentPrincipalId string = (policyAssignmentIdentity.type == 'SystemAssigned') ? policyAssignment.identity.principalId : '' diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep new file mode 100644 index 0000000000..e4ce1aba98 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -0,0 +1,119 @@ +targetScope = 'managementGroup' + +@description('Required. Specifies the name of the policy assignment.') +@maxLength(24) +param policyAssignmentName string + +@description('Required. Specifies the ID of the policy definition or policy set definition being assigned.') +param policyDefinitionID string + +@description('Optional. Parameters for the policy assignment if needed.') +param parameters object = {} + +@description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.') +@allowed([ + 'SystemAssigned' + 'None' +]) +param identity string = 'SystemAssigned' + +@description('Required. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built in Roles. They must match on what is on the policy definition') +param roleDefinitionIds array = [] + +@description('Optional. This message will be part of response in case of policy violation. If not provided, will be replaced with the Policy Assignment Name') +param policyAssignmentDescription string = '' + +@description('Optional. The display name of the policy assignment. If not provided, will be replaced with the Policy Assignment Name') +param displayName string = '' + +@description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.') +param metadata object = {} + +@description('Optional. The messages that describe why a resource is non-compliant with the policy. If not provided will be replaced with empty') +param nonComplianceMessage string = '' + +@description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce') +@allowed([ + 'Default' + 'DoNotEnforce' +]) +param enforcementMode string = 'Default' + +@description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment') +param managementGroupId string = '' + +@description('Optional. The Target Scope for the Policy. The Id of the subscription for the policy assignment') +param subscriptionId string = '' + +@description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') +param resourceGroupName string = '' + +@description('Optional. The policy excluded scopes') +param notScopes array = [] + +@description('Optional. Location for all resources.') +param location string = deployment().location + +var nonComplianceMessage_var = { + message: (empty(nonComplianceMessage) ? 'null' : nonComplianceMessage) +} + +var policyAssignmentName_var = replace(policyAssignmentName, ' ', '-') +var policyAssignmentProperties_var = { + displayName: (empty(displayName) ? json('null') : displayName) + metadata: (empty(metadata) ? json('null') : metadata) + description: (empty(policyAssignmentDescription) ? json('null') : policyAssignmentDescription) + policyDefinitionId: policyDefinitionID + parameters: parameters + nonComplianceMessages: (empty(nonComplianceMessage) ? [] : array(nonComplianceMessage_var)) + enforcementMode: enforcementMode + notScopes: (empty(notScopes) ? [] : notScopes) +} + +var policyAssignmentIdentity_var = { + type: identity +} + +module policyAssignment_mg '.bicep/nested_policyAssignments_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { + name: '${policyAssignmentName_var}-policyAssignment_mg' + scope: managementGroup(managementGroupId) + params: { + policyAssignmentName: policyAssignmentName_var + location: location + policyAssignmentProperties: policyAssignmentProperties_var + policyAssignmentIdentity: policyAssignmentIdentity_var + managementGroupId: managementGroupId + roleDefinitionIds: roleDefinitionIds + } +} + +module policyAssignment_sub '.bicep/nested_policyAssignments_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { + name: '${policyAssignmentName_var}-policyAssignment_sub' + scope: subscription(subscriptionId) + params: { + policyAssignmentName: policyAssignmentName_var + location: location + policyAssignmentProperties: policyAssignmentProperties_var + policyAssignmentIdentity: policyAssignmentIdentity_var + subscriptionId: subscriptionId + roleDefinitionIds: roleDefinitionIds + } +} + +module policyAssignment_rg '.bicep/nested_policyAssignments_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { + name: '${policyAssignmentName_var}-policyAssignment_rg' + scope: resourceGroup(subscriptionId, resourceGroupName) + params: { + policyAssignmentName: policyAssignmentName_var + location: location + policyAssignmentProperties: policyAssignmentProperties_var + policyAssignmentIdentity: policyAssignmentIdentity_var + resourceGroupName: resourceGroupName + subscriptionId: subscriptionId + roleDefinitionIds: roleDefinitionIds + } +} + +output policyAssignmentName string = policyAssignmentName +output policyAssignmentPrincipalId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.policyAssignmentPrincipalId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.policyAssignmentPrincipalId : policyAssignment_sub.outputs.policyAssignmentPrincipalId) +output policyAssignmentId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.policyAssignmentId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.policyAssignmentId : policyAssignment_sub.outputs.policyAssignmentId) diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json index a511f42ea4..2ee1cc1d49 100644 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json @@ -2,9 +2,6 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - "resourceGroupName": { - "value": "" - }, "policyAssignmentName": { "value": "Add a tag to resources" }, @@ -14,15 +11,18 @@ "parameters": { "value": { "tagName": { - "value": "Tag" + "value": "env" }, "tagValue": { - "value": "Value" + "value": "prod" } } }, "location": { - "value": "westeurope" + "value": "australiaeast" + }, + "subscriptionId": { + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } } diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep new file mode 100644 index 0000000000..ae93d9e164 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep @@ -0,0 +1,15 @@ +targetScope = 'managementGroup' +param policyDefinitionName string +param policyDefinitionProperties object +param managementGroupId string +param returnRoleDefinitionIds bool = false +param location string = deployment().location + +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = { + name: policyDefinitionName + location: location + properties: policyDefinitionProperties +} + +output policyDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policyDefinitions',policyDefinition.name) +output roleDefinitionIds array = returnRoleDefinitionIds ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [] diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep new file mode 100644 index 0000000000..55298e891d --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep @@ -0,0 +1,15 @@ +targetScope = 'subscription' +param policyDefinitionName string +param policyDefinitionProperties object +param subscriptionId string = subscription().id +param returnRoleDefinitionIds bool = false +param location string = deployment().location + +resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = { + name: policyDefinitionName + location: location + properties: policyDefinitionProperties +} + +output policyDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policyDefinitions',policyDefinition.name) +output roleDefinitionIds array = returnRoleDefinitionIds ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [] diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep new file mode 100644 index 0000000000..a50d34a7a9 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -0,0 +1,84 @@ +targetScope = 'managementGroup' + +@description('Required. Specifies the name of the policy definition. Space characters will be replaced by (-) and converted to lowercase') +@maxLength(64) +param policyDefinitionName string + +@description('Optional. The display name of the policy definition. If not provided, will be replaced with the Policy Definition Name') +param displayName string = '' + +@description('Optional. The display name of the policy definition. If not provided, will be replaced with the Policy Definition Name') +param policyDescription string = '' + +@description('Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data.') +@allowed([ + 'All' + 'Indexed' + 'Microsoft.KeyVault.Data' + 'Microsoft.ContainerService.Data' + 'Microsoft.Kubernetes.Data' +]) +param mode string = 'All' + +@description('Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.') +param metadata object = {} + +@description('Optional. The policy set definition parameters that can be used in policy definition references.') +param parameters object = {} + +@description('Required. The policy rule. Must include \'[\' when defining parameters to escape the template expressions and prevent them from being evaluated by the top level deployment.') +param policyRule object + +@description('Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +param managementGroupId string = '' + +@description('Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId') +param subscriptionId string = '' + +@description('Optional. Default is false. If set to True, role definitions array will be returned as an output. Only use if the Policy Definition supports it.') +param returnRoleDefinitionIds bool = false + +@description('Optional. Location for all resources.') +param location string = deployment().location + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var policyDefinitionName_var = toLower(replace(policyDefinitionName, ' ', '-')) +var policyDefinitionProperties_var = { + policyType: 'Custom' + mode: mode + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyDescription) ? json('null') : policyDescription) + metadata: (empty(metadata) ? json('null') : metadata) + parameters: (empty(parameters) ? json('null') : parameters) + policyRule: policyRule +} + +module policyDefinitions_mg './.bicep/nested_policyDefinitions_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { + name: '${policyDefinitionName_var}-mgDeployment' + scope: managementGroup(managementGroupId) + params: { + policyDefinitionName: policyDefinitionName_var + location: location + policyDefinitionProperties: policyDefinitionProperties_var + managementGroupId: managementGroupId + returnRoleDefinitionIds: returnRoleDefinitionIds + } +} + +module policyDefinitions_sub './.bicep/nested_policyDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { + name: '${policyDefinitionName_var}-subDeployment' + scope: subscription(subscriptionId) + params: { + policyDefinitionName: policyDefinitionName_var + location: location + policyDefinitionProperties: policyDefinitionProperties_var + subscriptionId: subscriptionId + returnRoleDefinitionIds: returnRoleDefinitionIds + } +} + +output policyDefinitionName string = policyDefinitionName_var +output policyDefinitionId string = !empty(managementGroupId) ? policyDefinitions_mg.outputs.policyDefinitionId : policyDefinitions_sub.outputs.policyDefinitionId +output roleDefinitionIds array = !empty(managementGroupId) ? policyDefinitions_mg.outputs.roleDefinitionIds : policyDefinitions_sub.outputs.roleDefinitionIds diff --git a/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json new file mode 100644 index 0000000000..89fc1c0994 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyDefinitionName": { + "value": "test-deny-keyvault-public-access" + }, + "displayName": { + "value": "[Test] This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "policyRule": { + "value": { + "if": { + "allOf": [ + { + "equals": "Microsoft.KeyVault/vaults", + "field": "type" + }, + { + "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", + "notequals": "Deny" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + }, + "parameters": { + "value": { + "effect": { + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "description": "Enable or disable the execution of the policy", + "displayName": "Effect" + }, + "type": "String" + } + } + }, + "metadata": { + "value": { + "category": "Security" + } + }, + "subscriptionId": { + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + } + } + } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep new file mode 100644 index 0000000000..9616b7456e --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep @@ -0,0 +1,13 @@ +targetScope = 'managementGroup' + +param policyExemptionName string +param policyExemptionProperties object +param managementGroupId string + +resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { + name: policyExemptionName + properties: policyExemptionProperties +} + +output policyExemptionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policyExemptions',policyExemption.name) +output policyExemptionScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep new file mode 100644 index 0000000000..4b89d0e073 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep @@ -0,0 +1,14 @@ +targetScope = 'resourceGroup' + +param policyExemptionName string +param policyExemptionProperties object +param subscriptionId string = subscription().subscriptionId +param resourceGroupName string = resourceGroup().name + +resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { + name: policyExemptionName + properties: policyExemptionProperties +} + +output policyExemptionId string = resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyExemptions', policyExemption.name) +output policyExemptionScope string = resourceGroup().id diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep new file mode 100644 index 0000000000..1e83d45496 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep @@ -0,0 +1,13 @@ +targetScope = 'subscription' + +param policyExemptionName string +param policyExemptionProperties object +param subscriptionId string + +resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { + name: policyExemptionName + properties: policyExemptionProperties +} + +output policyExemptionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policyExemptions',policyExemption.name) +output policyExemptionScope string = subscription().id diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep new file mode 100644 index 0000000000..45141f3036 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -0,0 +1,84 @@ +targetScope = 'managementGroup' + +@description('Required. Specifies the name of the policy exemption. Space characters will be replaced by (-) and converted to lowercase') +@maxLength(64) +param policyExemptionName string + +@description('Optional. The display name of the policy exemption. If not provided, will be replaced with the Policy exemption Name') +param displayName string = '' + +@description('Optional. The display name of the policy exemption. If not provided, will be replaced with the Policy exemption Name') +param policyExemptionDescription string = '' + +@description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs.') +param metadata object = {} + +@description('Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated') +@allowed([ + 'Mitigated' + 'Waiver' +]) +param exemptionCategory string = 'Mitigated' + +@description('Required. The ID of the policy assignment that is being exempted.') +param policyAssignmentId string + +@description('Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.') +param policyDefinitionReferenceIds array = [] + +@description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') +param expiresOn string = '' + +@description('Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +param managementGroupId string = '' + +@description('Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId') +param subscriptionId string = '' + +@description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') +param resourceGroupName string = '' + +var policyExemptionName_var = toLower(replace(policyExemptionName, ' ', '-')) +var policyExemptionProperties_var = { + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyExemptionDescription) ? json('null') : policyExemptionDescription) + metadata: (empty(metadata) ? json('null') : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? json('null') : expiresOn) +} + +module policyExemptions_mg './.bicep/nested_policyexemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { + name: '${policyExemptionName_var}-mg' + scope: managementGroup(managementGroupId) + params: { + policyExemptionName: policyExemptionName_var + policyExemptionProperties: policyExemptionProperties_var + managementGroupId: managementGroupId + } +} + +module policyExemptions_sub './.bicep/nested_policyexemptions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { + name: '${policyExemptionName_var}-sub' + scope: subscription(subscriptionId) + params: { + policyExemptionName: policyExemptionName_var + policyExemptionProperties: policyExemptionProperties_var + subscriptionId: subscriptionId + } +} + +module policyExemptions_rg './.bicep/nested_policyexemptions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { + name: '${policyExemptionName_var}-rg' + scope: resourceGroup(subscriptionId, resourceGroupName) + params: { + policyExemptionName: policyExemptionName_var + policyExemptionProperties: policyExemptionProperties_var + subscriptionId: subscriptionId + } +} + +output policyExemptionName string = policyExemptionName_var +output policyExemptionId string = !empty(managementGroupId) ? policyExemptions_mg.outputs.policyExemptionId : (!empty(resourceGroupName) ? policyExemptions_rg.outputs.policyExemptionId : policyExemptions_sub.outputs.policyExemptionId) +output policyExemptionScope string = !empty(managementGroupId) ? policyExemptions_mg.outputs.policyExemptionScope : (!empty(resourceGroupName) ? policyExemptions_rg.outputs.policyExemptionScope : policyExemptions_sub.outputs.policyExemptionScope) diff --git a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json new file mode 100644 index 0000000000..efc4a3ecc2 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json @@ -0,0 +1,29 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyExemptionName": { + "value": "test-policy-exempt" + }, + "displayName": { + "value": "[Test] policy exempt" + }, + "policyAssignmentId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/Microsoft.Authorization/policyAssignments/Add-a-tag-to-resources" + }, + "exemptionCategory": { + "value": "Waiver" + }, + "metadata": { + "value": { + "category": "Security" + } + }, + "expiresOn": { + "value": "2023-10-02T03:57:00.000Z" + }, + "subscriptionId": { + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + } + } + } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep new file mode 100644 index 0000000000..81ba50f46f --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep @@ -0,0 +1,11 @@ +targetScope = 'managementGroup' +param policySetDefinitionName string +param policySetDefinitionProperties object +param managementGroupId string + +resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: policySetDefinitionName + properties: policySetDefinitionProperties +} + +output policySetDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policySetDefinitions',policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep new file mode 100644 index 0000000000..eb3e4b2e5e --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep @@ -0,0 +1,11 @@ +targetScope = 'subscription' +param policySetDefinitionName string +param policySetDefinitionProperties object +param subscriptionId string = subscription().id + +resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { + name: policySetDefinitionName + properties: policySetDefinitionProperties +} + +output policySetDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policySetDefinitions',policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep new file mode 100644 index 0000000000..ceac3a4e3f --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -0,0 +1,63 @@ +targetScope = 'managementGroup' + +@description('Required. Specifies the name of the policy assignment.') +@maxLength(64) +param policySetDefinitionName string + +@description('Optional. The display name of the policy assignment. If not provided, will be replaced with the Policy Assignment Name') +param displayName string = '' + +@description('Optional. This message will be part of response in case of policy violation. If not provided, will be replaced with the Policy Assignment Name') +param policySetDescription string = '' + +@description('Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +param managementGroupId string = '' + +@description('Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId') +param subscriptionId string = '' + +@description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.') +param metadata object = {} + +@description('Required. The array of Policy definitions object to include for this policy set. Each object must include the definition ID, parameters, ') +param policyDefinitions array + +@description('Optional. The metadata describing groups of policy definition references within the policy set definition.') +param policyDefinitionGroups array = [] + +@description('Optional. The policy set definition parameters that can be used in policy definition references.') +param parameters object = {} + +var policySetDefinitionName_var = replace(policySetDefinitionName, ' ', '-') +var policySetDefinitionProperties_var = { + policyType: 'Custom' + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policySetDescription) ? json('null') : policySetDescription) + metadata: (empty(metadata) ? json('null') : metadata) + parameters: (empty(parameters) ? json('null') : parameters) + policyDefinitions: policyDefinitions + policyDefinitionGroups: (empty(policyDefinitionGroups) ? [] : policyDefinitionGroups) +} + +module policySetDefinition_mg './.bicep/nested_policySetDefinition_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { + name: '${policySetDefinitionName_var}-mgDeployment' + scope: managementGroup(managementGroupId) + params: { + policySetDefinitionName: policySetDefinitionName_var + policySetDefinitionProperties: policySetDefinitionProperties_var + managementGroupId: managementGroupId + } +} + +module policySetDefinition_sub './.bicep/nested_policySetDefinition_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { + name: '${policySetDefinitionName_var}-subDeployment' + scope: subscription(subscriptionId) + params: { + policySetDefinitionName: policySetDefinitionName_var + policySetDefinitionProperties: policySetDefinitionProperties_var + subscriptionId: subscriptionId + } +} + +output policySetDefinitionName string = policySetDefinitionName_var +output policySetDefinitionId string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.policySetDefinitionId : policySetDefinition_sub.outputs.policySetDefinitionId diff --git a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json new file mode 100644 index 0000000000..7e5e0552f0 --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json @@ -0,0 +1,67 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policySetDefinitionName": { + "value": "test-policySetExample" + }, + "policySetDescription": { + "value": "[Test] Set of security policies" + }, + "displayName": { + "value": "[Test] contoso security Policies" + }, + "policyDefinitionGroups": { + "value": [ + { + "name": "Network" + }, + { + "name": "ARM" + } + ] + }, + "policyDefinitions": { + "value": [ + { + "groupNames": [ + "ARM" + ], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "policyDefinitionReferenceId": "Allowed locations_1" + }, + { + "groupNames": [ + "ARM" + ], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } + }, + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "policyDefinitionReferenceId": "Allowed locations for resource groups_1" + } + ] + }, + "metadata": { + "value": { + "category": "Security", + "version": "1" + } + }, + "subscriptionId": { + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + } + } + } + \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep new file mode 100644 index 0000000000..9e04b870c6 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep @@ -0,0 +1,16 @@ +targetScope = 'managementGroup' + +param roleDefinitionId string +param principalId string +param managementGroupId string +param location string = deployment().location + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { + name: guid(managementGroupId, location, roleDefinitionId, principalId) + properties: { + roleDefinitionId: roleDefinitionId + principalId: principalId + } +} + +output roleAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep new file mode 100644 index 0000000000..4446ea48dd --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep @@ -0,0 +1,17 @@ +targetScope = 'resourceGroup' + +param roleDefinitionId string +param principalId string +param subscriptionId string +param resourceGroupName string +param location string = resourceGroup().location + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { + name: guid(subscriptionId, resourceGroupName, location, roleDefinitionId, principalId) + properties: { + roleDefinitionId: roleDefinitionId + principalId: principalId + } +} + +output roleAssignmentId string = resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep new file mode 100644 index 0000000000..289731f589 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep @@ -0,0 +1,16 @@ +targetScope = 'subscription' + +param roleDefinitionId string +param principalId string +param subscriptionId string +param location string = deployment().location + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { + name: guid(subscriptionId, roleDefinitionId, location, principalId) + properties: { + roleDefinitionId: roleDefinitionId + principalId: principalId + } +} + +output roleAssignmentId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep new file mode 100644 index 0000000000..b8285df8f0 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -0,0 +1,233 @@ +targetScope = 'managementGroup' + +@description('Required. You can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleDefinitionIdOrName string + +@description('Required. You can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param principalId string + +@description('Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription.') +param resourceGroupName string = '' + +@description('Optional. ID of the Subscription to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription.') +param subscriptionId string = '' + +@description('Optional. ID of the Management Group to assign the RBAC role(s) to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role(s) to the management group.') +param managementGroupId string = '' + +@description('Optional. Location for all resources.') +param location string = deployment().location + +var builtInRoleNames_var = { + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' + 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' + 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' + 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' + 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' + 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' + 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' + 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' + 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' + 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' + 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' + 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' + 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' + 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' + 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' + 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' + 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' + 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' + 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' + 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' + 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' + 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' + 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' + 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' + 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' + 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' + 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' + 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' + 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' + 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' + 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' + 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' + 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' + 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' + 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' + 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' + 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' + 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' + 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' + 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' + 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' + 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' + 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' + 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' + 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' + 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' +} + +var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) + +module roleAssignment_mg './.bicep/nested_roleAssignments_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { + name: 'roleAssignment-mg-${guid(roleDefinitionId_var,principalId)}' + scope: managementGroup(managementGroupId) + params: { + roleDefinitionId: roleDefinitionId_var + principalId: principalId + managementGroupId: managementGroupId + location: location + } +} + +module roleAssignment_sub './.bicep/nested_roleAssignments_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { + name: 'roleAssignment-sub-${guid(roleDefinitionId_var,principalId)}' + scope: subscription(subscriptionId) + params: { + roleDefinitionId: roleDefinitionId_var + principalId: principalId + subscriptionId: subscriptionId + location: location + } +} + +module roleAssignment_rg './.bicep/nested_roleAssignments_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { + name: 'roleAssignment-${guid(roleDefinitionId_var,principalId)}' + scope: resourceGroup(subscriptionId, resourceGroupName) + params: { + roleDefinitionId: roleDefinitionId_var + principalId: principalId + subscriptionId: subscriptionId + resourceGroupName: resourceGroupName + location: location + } +} + +output roleAssignmentId string = !empty(managementGroupId) ? roleAssignment_mg.outputs.roleAssignmentId : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.roleAssignmentId : roleAssignment_sub.outputs.roleAssignmentId) diff --git a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 1bf069fbd9..c21ebaa1ec 100644 --- a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -2,51 +2,17 @@ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { - // Resource Group name is optional, when provided, the Role Assignment will target the RG. When not provided the scope will be the subscription. - "resourceGroupName": { - "value": "artifacts-rg" + "roleDefinitionIdOrName": { + "value": "Owner" + }, + "principalId":{ + "value": "9fa1a3c1-d53b-40ea-8617-ec99e51285a3" }, - "roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Owner", - "principalIds": [ - // "12345678-1234-1234-1234-123456780123" - // "abcd5678-1234-1234-1234-123456780123" - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - // "12345678-1234-1234-1234-123456780123" - // "abcd5678-1234-1234-1234-123456780123" - ] - }, - // // Built-in Role Definition, referenced by ID - // { - // "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - // "principalIds": [ - // // "12345678-1234-1234-1234-123456780123" - // // "abcd5678-1234-1234-1234-123456780123" - // ] - // }, - // // Custom Role Definition on Resource Group scope - // { - // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", - // "principalIds": [ - // // "12345678-1234-1234-1234-123456780123" - // // "abcd5678-1234-1234-1234-123456780123" - // ] - // }, - // // Custom Role Definition on Subscription scope - // { - // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", - // "principalIds": [ - // // "12345678-1234-1234-1234-123456780123" - // // "abcd5678-1234-1234-1234-123456780123" - // ] - // } - ] + "subscriptionId": { + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + }, + "resourceGroupName": { + "value": "validation-rg" } } } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep new file mode 100644 index 0000000000..046d641681 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep @@ -0,0 +1,33 @@ +targetScope = 'managementGroup' + +param roleName string +param roleDescription string = '' +param actions array = [] +param notActions array = [] +param dataActions array = [] +param notDataActions array = [] +param managementGroupId string +param location string = deployment().location + +resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { + name: guid(roleName, managementGroupId, location) + properties: { + roleName: roleName + description: roleDescription + type: 'customRole' + permissions: [ + { + actions: actions + notActions: notActions + dataActions: dataActions + notDataActions: notDataActions + } + ] + assignableScopes: [ + tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) + ] + } +} + +output roleDefinitionScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) +output roleDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleDefinitions',roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep new file mode 100644 index 0000000000..c8c9477e6e --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep @@ -0,0 +1,34 @@ +targetScope = 'resourceGroup' + +param roleName string +param roleDescription string = '' +param actions array = [] +param notActions array = [] +param dataActions array = [] +param notDataActions array = [] +param subscriptionId string = subscription().id +param resourceGroupName string = resourceGroup().name +param location string = resourceGroup().location + +resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { + name: guid(roleName, subscriptionId, resourceGroupName, location) + properties: { + roleName: roleName + description: roleDescription + type: 'customRole' + permissions: [ + { + actions: actions + notActions: notActions + dataActions: dataActions + notDataActions: notDataActions + } + ] + assignableScopes: [ + resourceGroup().id + ] + } +} + +output roleDefinitionScope string = resourceGroup().id +output roleDefinitionId string = roleDefinition.id diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep new file mode 100644 index 0000000000..6b3fa00545 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep @@ -0,0 +1,33 @@ +targetScope = 'subscription' + +param roleName string +param roleDescription string = '' +param actions array = [] +param notActions array = [] +param dataActions array = [] +param notDataActions array = [] +param subscriptionId string +param location string = deployment().location + +resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { + name: guid(roleName, subscriptionId, location) + properties: { + roleName: roleName + description: roleDescription + type: 'customRole' + permissions: [ + { + actions: actions + notActions: notActions + dataActions: dataActions + notDataActions: notDataActions + } + ] + assignableScopes: [ + subscription().id + ] + } +} + +output roleDefinitionScope string = subscription().id +output roleDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleDefinitions',roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep new file mode 100644 index 0000000000..18fcfeb063 --- /dev/null +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -0,0 +1,80 @@ +targetScope = 'managementGroup' + +@description('Required. Name of the custom RBAC role to be created.') +param roleName string + +@description('Optional. Description of the custom RBAC role to be created.') +param roleDescription string = '' + +@description('Optional. List of allowed actions.') +param actions array = [] + +@description('Optional. List of denied actions.') +param notActions array = [] + +@description('Optional. List of allowed data actions.') +param dataActions array = [] + +@description('Optional. List of denied data actions.') +param notDataActions array = [] + +@description('Optional. The ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used.') +param managementGroupId string = '' + +@description('Optional. The Subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level.') +param subscriptionId string = '' + +@description('Optional. The name of the Resource Group where the Role Definition and Target Scope will be applied to.') +param resourceGroupName string = '' + +@description('Optional. Location for all resources.') +param location string = deployment().location + +module roleDefinitionDeployment_mg './.bicep/nested_roleDefinitions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { + name: 'roleDefinition-mg-${guid(roleName,managementGroupId,location)}' + scope: managementGroup(managementGroupId) + params: { + roleName: roleName + roleDescription: roleDescription + actions: actions + notActions: notActions + dataActions: dataActions + notDataActions: notDataActions + managementGroupId: managementGroupId + location: location + } +} + +module roleDefinitionDeployment_sub './.bicep/nested_roleDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { + name: 'roleDefinition-sub-${guid(roleName,subscriptionId,location)}' + scope: subscription(subscriptionId) + params: { + roleName: roleName + roleDescription: roleDescription + actions: actions + notActions: notActions + dataActions: dataActions + notDataActions: notDataActions + subscriptionId: subscriptionId + location: location + } +} + +module roleDefinitionDeployment_rg './.bicep/nested_roleDefinitions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { + name: 'roleDefinition-rg-${guid(roleName,subscriptionId,resourceGroupName,location)}' + scope: resourceGroup(subscriptionId,resourceGroupName) + params: { + roleName: roleName + roleDescription: roleDescription + actions: actions + notActions: notActions + dataActions: dataActions + notDataActions: notDataActions + subscriptionId: subscriptionId + resourceGroupName: resourceGroupName + location: location + } +} + +output roleDefinitionId string = !empty(managementGroupId) ? roleDefinitionDeployment_mg.outputs.roleDefinitionId : (!empty(resourceGroupName) ? roleDefinitionDeployment_rg.outputs.roleDefinitionId : roleDefinitionDeployment_sub.outputs.roleDefinitionId) +output roleDefinitionScope string = !empty(managementGroupId) ? roleDefinitionDeployment_mg.outputs.roleDefinitionScope : (!empty(resourceGroupName) ? roleDefinitionDeployment_rg.outputs.roleDefinitionScope : roleDefinitionDeployment_sub.outputs.roleDefinitionScope) diff --git a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json index 9c1e1945c8..e762016792 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json @@ -5,9 +5,12 @@ "roleName": { "value": "myCustomRoleAtSub" }, - // "resourceGroupName": { - // "value": "rbacTest" - // }, + "subscriptionId": { + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + }, + "resourceGroupName": { + "value": "validation-rg" + }, "roleDescription": { "value": "" }, diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index c0957284dd..cf02c1e278 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -6,35 +6,85 @@ This module deploys custom RBAC Role Definitions. |Resource Type|ApiVersion| |:--|:--| -|`Microsoft.Authorization/roleDefinitions`|2018-07-01| -|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Authorization/roleDefinitions`|2018-01-01-preview| ## Parameters | Parameter Name | Type | Default Value | Possible values | Description | | :- | :- | :- | :- | :- | -| `roleName` | string | | | Required. Name of the custom RBAC role to be created. -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. -| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created. -| `actions` | array | [] | | Optional. List of allowed actions. -| `notActions` | array | [] | | Optional. List of denied actions. -| `dataActions` | array | [] | | Optional. List of allowed data actions. -| `notDataActions` | array | [] | | Optional. List of denied data actions. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered +| `roleName` | string | | | Required. Name of the custom RBAC role to be created.| +| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created.| +| `actions` | array | [] | | Optional. List of allowed actions.| +| `notActions` | array | [] | | Optional. List of denied actions.| +| `dataActions` | array | [] | | Optional. List of allowed data actions.| +| `notDataActions` | array | [] | | Optional. List of denied data actions.| +| `managementGroupId` | string | "" | | Optional. The ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | +| `subscriptionId` | string | "" | | Optional. The Subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. | +| `location` | string | "" | | Optional. Location for all resources. If not provided, will default to the deployment location. | ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | -| `definitionId` | string | The id of the role definition that was created. | -| `definitionScope` | string | The scope (subscription or resource group) this definition was created on. | +| `roleDefinitionId` | string | The id of the role definition that was created. | +| `roleDefinitionScope` | string | The scope this definition was created on. | + +## Modules Structure + +| Module | Level | Type | Target Scope | +| :--------------------------------- | :---- | ----------- | :--------------- | +| `deploy.bicep` | 0 | Main Module | Management Group | +| `nested_roleDefinitions_mg.bicep` | 1 | Sub Module | Management Group | +| `nested_roleDefinitions_sub.bicep` | 1 | Sub Module | Subscription | +| `nested_roleDefinitions_rg.bicep` | 1 | Sub Module | Resource Group | ## Considerations -This module can be deployed both at subscription or resource group level: +This module can be deployed the management group, subscription or resource group level: + +--- + +**Note**: The main `deploy.bicep` always deploys at the Management Group scope. That way it can perform deployments at lower scopes. + +--- + +### Management Group Deployment + + To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. **Example**: + +```json + "managementGroupId": { + "value": "contoso-group" + } +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Subscription Deployment + + To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +```json + "subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" + } +``` + +### Resource Group Deployment + + To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +```json + "subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" + }, + "resourceGroupName": { + "value": "target-resourceGroup" + } +``` -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). ## Additional resources From 2cc5129d3e52d11a2b161c313ce96ceb09da053b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 15:18:25 +1100 Subject: [PATCH 02/36] updated user identity module --- .../scripts/New-ModuleDeployment.ps1 | 2 +- ...managedidentity.userassignedidentities.yml | 8 +- README.md | 2 +- .../.bicep/nested_cuaId.bicep | 0 .../.bicep/nested_rbac.bicep | 12 + .../userAssignedIdentities/deploy.bicep | 231 ++++++++++++++++++ 6 files changed, 249 insertions(+), 6 deletions(-) create mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep diff --git a/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 b/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 index ed3240303d..6ae17baca2 100644 --- a/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 +++ b/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 @@ -215,7 +215,7 @@ function New-ModuleDeployment { } } } - while ($Stoploop -eq $false -or $retryCount -eq $retryLimit) + until ($Stoploop -eq $true -or $retryCount -eq $retryLimit) Write-Verbose "Result" -Verbose Write-Verbose "------" -Verbose diff --git a/.github/workflows/ms.managedidentity.userassignedidentities.yml b/.github/workflows/ms.managedidentity.userassignedidentities.yml index c4cd61b69a..30cad21622 100644 --- a/.github/workflows/ms.managedidentity.userassignedidentities.yml +++ b/.github/workflows/ms.managedidentity.userassignedidentities.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/README.md b/README.md index 5ecb9f883d..ae3f911942 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ This repository includes a collection of advanced and curated Modules consisting | [KeyVault](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.KeyVault/vaults) | :heavy_check_mark: | [![KeyVault: Vaults](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [LogicApp](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Logic/workflows) | :heavy_check_mark: | [![Logic: Workflows](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Machine Learning Services](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.MachineLearningServices/workspaces) | | [![MachineLearningServices: Workspaces](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | :heavy_check_mark: | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Lighthouse](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedServices/registrationDefinitions) | | [![ManagedServices: Registrationdefinitions](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Management groups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Management/managementGroups) | | [![Management: Managementgroups](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [AzureNetAppFiles](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.NetApp/netAppAccounts) | | [![NetApp: Netappaccounts](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_cuaId.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..b705e6eae9 --- /dev/null +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep @@ -0,0 +1,12 @@ +param roleAssignment object +param builtInRoleNames object +param userMsiName string + +resource nested_rbac 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments@2020-04-01-preview' = [for i in range(0, length(roleAssignment.principalIds)): { + name: '${userMsiName}/Microsoft.Authorization/${guid(uniqueString(userMsiName, array(roleAssignment.principalIds)[i], roleAssignment.roleDefinitionIdOrName))}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + principalId: array(roleAssignment.principalIds)[i] + } + dependsOn: [] +}] diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep new file mode 100644 index 0000000000..dd45f9c181 --- /dev/null +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep @@ -0,0 +1,231 @@ +@description('Optional. Name of the User Assigned Identity.') +param userMsiName string = guid(resourceGroup().id) + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Switch to lock Resource from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var builtInRoleNames = { + AcrDelete: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + AcrImageSigner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + AcrPull: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + AcrPush: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + AcrQuarantineReader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' + AcrQuarantineWriter: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' + 'API Management Service Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'API Management Service Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' + 'API Management Service Reader Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' + 'App Configuration Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Application Insights Component Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' + 'Application Insights Snapshot Debugger': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' + 'Attestation Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'Attestation Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' + 'Automation Job Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' + 'Automation Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' + 'Automation Runbook Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Avere Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' + 'Avere Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' + 'Azure Connected Machine Onboarding': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Azure Digital Twins Owner (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Azure Digital Twins Reader (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Event Hubs Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Azure Event Hubs Data Receiver': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Kubernetes Service Cluster Admin Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' + 'Azure Kubernetes Service Cluster User Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' + 'Azure Kubernetes Service Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Maps Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Azure Maps Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' + 'Azure Sentinel Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' + 'Azure Sentinel Responder': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Service Bus Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Service Bus Data Receiver': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Azure Stack Registration Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' + 'Backup Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Backup Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' + 'Backup Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' + 'Billing Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' + 'BizTalk Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' + 'Blockchain Member Node Access (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' + 'Blueprint Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'CDN Endpoint Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' + 'CDN Endpoint Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' + 'CDN Profile Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' + 'CDN Profile Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' + 'Classic Network Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' + 'Classic Storage Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' + 'Classic Storage Account Key Operator Service Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' + 'Classic Virtual Machine Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' + 'ClearDB MySQL DB Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' + 'Cognitive Services Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'Cognitive Services Custom Vision Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Cognitive Services Data Reader (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' + 'Cognitive Services QnA Maker Editor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Cognitive Services QnA Maker Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services User': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + 'Cosmos DB Account Reader Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' + 'Cosmos DB Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'CosmosBackupOperator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' + 'Cost Management Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' + 'Cost Management Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' + 'Data Box Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' + 'Data Box Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' + 'Data Factory Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' + 'Data Lake Analytics Developer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' + 'Data Purger': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' + 'Desktop Virtualization User': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'DevTest Labs User': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' + 'DNS Zone Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' + 'DocumentDB Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'EventGrid EventSubscription Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' + 'EventGrid EventSubscription Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' + 'Experimentation Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Experimentation Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Experimentation Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'FHIR Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Graph Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' + 'HDInsight Cluster Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'HDInsight Domain Services Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' + 'Hierarchy Settings Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'Hybrid Server Onboarding': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Hybrid Server Resource Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Integration Service Environment Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Integration Service Environment Developer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Intelligent Systems Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' + 'Key Vault Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Knowledge Consumer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' + 'Kubernetes Cluster - Azure Arc Onboarding': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Lab Creator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' + 'Log Analytics Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Logic App Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Logic App Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' + 'Managed Application Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Managed Identity Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' + 'Managed Identity Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' + 'Managed Services Registration assignment Delete ': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Management Group Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' + 'Management Group Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' + 'Marketplace Admin': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' + 'Monitoring Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Network Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'New Relic APM Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' + 'Object Understanding Account Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + 'Policy Insights Data Writer (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' + 'Private DNS Zone Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Reader and Data Access': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' + 'Redis Cache Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' + 'Remote Rendering Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Resource Policy Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Scheduler Job Collections Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' + 'Search Service Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' + 'Security Admin': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' + 'Security Assessment Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Security Manager (Legacy)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' + 'Security Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' + 'SignalR AccessKey Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Site Recovery Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' + 'Site Recovery Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Site Recovery Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' + 'Spatial Anchors Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' + 'Spatial Anchors Account Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' + 'Spatial Anchors Account Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' + 'SQL DB Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + 'SQL Managed Instance Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL Security Manager': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' + 'SQL Server Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' + 'Storage Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'Storage Account Key Operator Service Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' + 'Storage Blob Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' + 'Storage Blob Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + 'Storage Blob Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + 'Storage Blob Delegator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Storage File Data SMB Share Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Storage File Data SMB Share Elevated Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Storage File Data SMB Share Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage Queue Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' + 'Storage Queue Data Message Processor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' + 'Storage Queue Data Message Sender': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' + 'Storage Queue Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' + 'Support Request Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' + 'Tag Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Traffic Manager Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' + 'User Access Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Virtual Machine Administrator Login': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' + 'Virtual Machine Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'Virtual Machine User Login': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Web Plan Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' + 'Website Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' + 'Workbook Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Workbook Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: userMsiName + location: location + tags: tags +} + +resource userMsi_lock 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks@2017-04-01' = if (lockForDeletion) { + name: '${userMsiName}/Microsoft.Authorization/msiDoNotDelete' + properties: { + level: 'CannotDelete' + } + dependsOn: [ + userMsi + ] +} + +module userMsi_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) in roleAssignments: { + name: '${uniqueString(deployment().name, location)}-userMsi-Rbac-${index}' + params: { + roleAssignment: roleassignment + builtInRoleNames: builtInRoleNames + userMsiName: userMsiName + } + dependsOn: [ + userMsi + ] +}] + +output msiName string = userMsiName +output msiResourceId string = userMsi.id +output msiPrincipalId string = userMsi.properties.principalId +output msiResourceGroup string = resourceGroup().name From d18259edf68a6bb88c958a818e1095fdd772f238 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 17:13:28 +1100 Subject: [PATCH 03/36] catered for scenario where retryLimit is set to 1 --- .../templates/deployModule/scripts/New-ModuleDeployment.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 b/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 index 6ae17baca2..db615d6064 100644 --- a/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 +++ b/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 @@ -215,7 +215,7 @@ function New-ModuleDeployment { } } } - until ($Stoploop -eq $true -or $retryCount -eq $retryLimit) + until ($Stoploop -eq $true -or $retryCount -gt $retryLimit) Write-Verbose "Result" -Verbose Write-Verbose "------" -Verbose From 885675a9f8866a5ae16e4fe9895ac3e0e8316a2a Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 17:53:44 +1100 Subject: [PATCH 04/36] added (ge) instead of (gt) for catch --- .../templates/deployModule/scripts/New-ModuleDeployment.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 b/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 index db615d6064..c0d40cb5f5 100644 --- a/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 +++ b/.github/actions/templates/deployModule/scripts/New-ModuleDeployment.ps1 @@ -204,7 +204,7 @@ function New-ModuleDeployment { $Stoploop = $true } catch { - if ($retryCount -gt $retryLimit) { + if ($retryCount -ge $retryLimit) { throw $PSitem.Exception.Message $Stoploop = $true } @@ -213,9 +213,9 @@ function New-ModuleDeployment { Start-Sleep -Seconds 5 $retryCount++ } - } + } } - until ($Stoploop -eq $true -or $retryCount -gt $retryLimit) + until ($Stoploop -eq $true -or $retryCount -gt $retryLimit) Write-Verbose "Result" -Verbose Write-Verbose "------" -Verbose From 513e45a48297cb105f778f546466e11bb3b76b4b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 19:17:28 +1100 Subject: [PATCH 05/36] updated based on comments --- .../.bicep/nested_rbac.bicep | 8 +- .../userAssignedIdentities/deploy.bicep | 190 +-------- .../userAssignedIdentities/deploy.json | 360 ------------------ 3 files changed, 20 insertions(+), 538 deletions(-) delete mode 100644 arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep index b705e6eae9..291bbe9c8c 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/.bicep/nested_rbac.bicep @@ -1,12 +1,12 @@ param roleAssignment object param builtInRoleNames object -param userMsiName string +param resourceName string -resource nested_rbac 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments@2020-04-01-preview' = [for i in range(0, length(roleAssignment.principalIds)): { - name: '${userMsiName}/Microsoft.Authorization/${guid(uniqueString(userMsiName, array(roleAssignment.principalIds)[i], roleAssignment.roleDefinitionIdOrName))}' +resource nested_rbac 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignment.roleDefinitionIdOrName)}' properties: { roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) - principalId: array(roleAssignment.principalIds)[i] + principalId: principalId } dependsOn: [] }] diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep index dd45f9c181..5b83985358 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep @@ -17,179 +17,21 @@ param tags object = {} param cuaId string = '' var builtInRoleNames = { - AcrDelete: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - AcrImageSigner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - AcrPull: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' - AcrPush: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' - AcrQuarantineReader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' - AcrQuarantineWriter: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'API Management Service Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' - 'API Management Service Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' - 'API Management Service Reader Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' - 'Application Insights Component Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' - 'Application Insights Snapshot Debugger': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' - 'Attestation Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' - 'Automation Job Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' - 'Automation Runbook Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' - 'Avere Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' - 'Avere Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Connected Machine Onboarding': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Digital Twins Owner (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Reader (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' - 'Azure Kubernetes Service Cluster Admin Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' - 'Azure Kubernetes Service Cluster User Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Maps Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' - 'Azure Maps Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Sentinel Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Azure Sentinel Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Azure Sentinel Responder': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Azure Service Bus Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' - 'Azure Stack Registration Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' - 'Backup Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' - 'Backup Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' - 'Backup Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Billing Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' - 'BizTalk Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' - 'CDN Endpoint Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' - 'CDN Endpoint Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' - 'CDN Profile Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' - 'CDN Profile Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' - 'Classic Network Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' - 'Classic Storage Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' - 'Classic Storage Account Key Operator Service Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' - 'ClearDB MySQL DB Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Cognitive Services Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services QnA Maker Editor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' - 'Cognitive Services User': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' - 'Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - 'Cosmos DB Account Reader Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - 'CosmosBackupOperator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' - 'Cost Management Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' - 'Cost Management Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' - 'Data Box Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' - 'Data Box Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' - 'Data Factory Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Lake Analytics Developer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' - 'Data Purger': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Desktop Virtualization User': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' - 'DevTest Labs User': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DNS Zone Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' - 'DocumentDB Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' - 'EventGrid EventSubscription Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' - 'EventGrid EventSubscription Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Exporter': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' - 'Graph Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'HDInsight Cluster Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' - 'HDInsight Domain Services Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Integration Service Environment Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' - 'Intelligent Systems Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' - 'Key Vault Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' - 'Knowledge Consumer': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Cluster - Azure Arc Onboarding': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' - 'Lab Creator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Log Analytics Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' - 'Log Analytics Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' - 'Logic App Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' - 'Managed Application Operator Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' - 'Managed Applications Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed Identity Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' - 'Managed Identity Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete ': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' - 'Management Group Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' - 'Management Group Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Marketplace Admin': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' - 'Monitoring Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' - 'Monitoring Metrics Publisher': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' - 'Monitoring Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' - 'Network Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' - 'New Relic APM Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Understanding Account Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' - 'Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'Policy Insights Data Writer (Preview)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' - 'Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' - 'Redis Cache Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' - 'Resource Policy Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Scheduler Job Collections Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' - 'Search Service Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' - 'Security Admin': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Manager (Legacy)': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' - 'Security Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'SignalR AccessKey Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' - 'Site Recovery Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' - 'Site Recovery Operator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' - 'Site Recovery Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' - 'Spatial Anchors Account Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' - 'SQL Managed Instance Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' - 'SQL Security Manager': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' - 'Storage Account Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' - 'Storage Account Key Operator Service Role': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' - 'Storage Blob Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' - 'Storage Blob Data Owner': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' - 'Storage Blob Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' - 'Storage Queue Data Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' - 'Storage Queue Data Message Processor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' - 'Storage Queue Data Message Sender': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' - 'Storage Queue Data Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' - 'Support Request Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - 'Traffic Manager Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' - 'Virtual Machine Administrator Login': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' - 'Virtual Machine User Login': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' - 'Web Plan Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' - 'Website Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Workbook Contributor': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' - 'Workbook Reader': '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Managed Identity Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','e40ec5ca-96e0-45a2-b4ff-59039f2c2b59') + 'Managed Identity Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f1a07417-d97a-45cb-824c-7a7467783830') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -218,7 +60,7 @@ module userMsi_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) params: { roleAssignment: roleassignment builtInRoleNames: builtInRoleNames - userMsiName: userMsiName + resourceName: userMsiName } dependsOn: [ userMsi diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json deleted file mode 100644 index 46f36ae224..0000000000 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.json +++ /dev/null @@ -1,360 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "userMsiName": { - "type": "string", - "defaultValue": "[guid(resourceGroup().id)]", - "metadata": { - "description": "Optional. Name of the User Assigned Identity." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Resource from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "name": "[parameters('userMsiName')]", - "apiVersion": "2018-11-30", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/msiDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userMsiName'))]" - ], - "comments": "Resource lock on the MSI", - "properties": { - "level": "CannotDelete" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('userMsiName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "userMsiName": { - "value": "[parameters('userMsiName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "userMsiName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[concat(parameters('userMsiName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('userMsiName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "msiName": { - "type": "string", - "value": "[parameters('userMsiName')]", - "metadata": { - "description": "The name of the User Assigned Identity." - } - }, - "msiResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName'))]", - "metadata": { - "description": "The Resource Id of the User Assigned Identity." - } - }, - "msiPrincipalId": { - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('userMsiName'))).principalId]", - "type": "string", - "metadata": { - "description": "The Principal Id of the User Assigned Identity." - } - }, - "msiResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the User Assigned Identity was created in." - } - } - } -} From f7af60b05337e976aca8283b4cb485366561c5d0 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 20:56:06 +1100 Subject: [PATCH 06/36] updated lock scope --- .../userAssignedIdentities/deploy.bicep | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep index 5b83985358..21c00a29ee 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep @@ -50,9 +50,7 @@ resource userMsi_lock 'Microsoft.ManagedIdentity/userAssignedIdentities/provider properties: { level: 'CannotDelete' } - dependsOn: [ - userMsi - ] + scope: userMsi } module userMsi_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) in roleAssignments: { From 80b8ef49c17b8552877357edd29856f31046155c Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 21:20:32 +1100 Subject: [PATCH 07/36] updated test error for readme --- arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md index 4b6fe0b925..ac26ae02b1 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md @@ -9,7 +9,7 @@ This module deploys User Assigned Identities, with resource lock. |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| |`Microsoft.ManagedIdentity/userAssignedIdentities`|2018-11-30| -|`providers/locks`|2016-09-01| +|`Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks`|2017-04-01| |`Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments`|2018-09-01-preview| ## Parameters From 155cd44f12ca089d5331437efa9409e031dd183e Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 21:27:26 +1100 Subject: [PATCH 08/36] updated readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 768a361b0f..ccba01813a 100644 --- a/README.md +++ b/README.md @@ -125,7 +125,7 @@ This repository includes a collection of advanced and curated Modules consisting | [StorageAccounts](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Storage/storageAccounts) | :heavy_check_mark: | [![Storage Account](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Subscription](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Subscription/aliases) | | [![Subscription: Aliases](https://github.com/Azure/ResourceModules/actions/workflows/ms.subscription.aliases.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.subscription.aliases.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [TrafficManager](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/trafficmanagerprofiles) | | [![Network: Trafficmanagerprofiles](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | :heavy_check_mark: | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Machine Scale Sets](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/virtualMachineScaleSets) | :heavy_check_mark: | [![Compute: Virtualmachinescalesets](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Machines](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/virtualMachines) | | [![Compute: Virtualmachines](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Network](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/virtualNetworks) | :heavy_check_mark: | [![Network: Virtualnetworks](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | From 45c5d9371515df47c1f4429d79f9a5abdf74d4da Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 21:29:40 +1100 Subject: [PATCH 09/36] fixed readme --- README.md | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/README.md b/README.md index ccba01813a..f53b07e484 100644 --- a/README.md +++ b/README.md @@ -54,20 +54,6 @@ This repository includes a collection of advanced and curated Modules consisting | [Azure Databricks](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Databricks/workspaces) | | [![Databricks: Workspaces](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.databricks.workspaces.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Azure Health Bot](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.HealthBot/healthBots) | | [![HealthBot: Healthbots](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.healthbot.healthbots.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Azure Monitor Private Link Scope](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Insights/privateLinkScopes) | | [![Insights: Privatelinkscopes](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.privatelinkscopes.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -<<<<<<< HEAD -| [Scheduled Query Rules](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Insights/scheduledQueryRules) | | [![Insights: Scheduledqueryrules](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.insights.scheduledqueryrules.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [KeyVault](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.KeyVault/vaults) | :heavy_check_mark: | [![KeyVault: Vaults](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.keyvault.vaults.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [LogicApp](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Logic/workflows) | :heavy_check_mark: | [![Logic: Workflows](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.logic.workflows.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [Machine Learning Services](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.MachineLearningServices/workspaces) | | [![MachineLearningServices: Workspaces](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.machinelearningservices.workspaces.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | :heavy_check_mark: | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [Lighthouse](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedServices/registrationDefinitions) | | [![ManagedServices: Registrationdefinitions](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedservices.registrationdefinitions.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [Management groups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Management/managementGroups) | | [![Management: Managementgroups](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.management.managementgroups.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [AzureNetAppFiles](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.NetApp/netAppAccounts) | | [![NetApp: Netappaccounts](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.netapp.netappaccounts.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [ApplicationGateway](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/applicationGateways) | | [![Network: Applicationgateways](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationgateways.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [ApplicationSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/applicationSecurityGroups) | | [![Network: Applicationsecuritygroups](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.applicationsecuritygroups.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [AzureFirewall](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/azureFirewalls) | | [![Network: Azurefirewalls](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -======= ->>>>>>> upstream/main | [AzureBastion](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/bastionHosts) | | [![Network: Bastionhosts](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.bastionhosts.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [AzureFirewall](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/azureFirewalls) | | [![Network: Azurefirewalls](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.azurefirewalls.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [AzureKubernetesService](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ContainerService/managedClusters) | | [![ContainerService: Managedclusters](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.containerservice.managedclusters.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | @@ -125,7 +111,7 @@ This repository includes a collection of advanced and curated Modules consisting | [StorageAccounts](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Storage/storageAccounts) | :heavy_check_mark: | [![Storage Account](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Subscription](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Subscription/aliases) | | [![Subscription: Aliases](https://github.com/Azure/ResourceModules/actions/workflows/ms.subscription.aliases.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.subscription.aliases.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [TrafficManager](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/trafficmanagerprofiles) | | [![Network: Trafficmanagerprofiles](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | :heavy_check_mark: | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Machine Scale Sets](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/virtualMachineScaleSets) | :heavy_check_mark: | [![Compute: Virtualmachinescalesets](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Machines](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/virtualMachines) | | [![Compute: Virtualmachines](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Network](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/virtualNetworks) | :heavy_check_mark: | [![Network: Virtualnetworks](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | From a5fb7da45eebfccd808dbf5ee57d354cd4b371ec Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 21:31:56 +1100 Subject: [PATCH 10/36] updated readme with check mark --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f53b07e484..1051a87e4c 100644 --- a/README.md +++ b/README.md @@ -111,7 +111,7 @@ This repository includes a collection of advanced and curated Modules consisting | [StorageAccounts](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Storage/storageAccounts) | :heavy_check_mark: | [![Storage Account](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.storage.storageaccounts.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Subscription](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Subscription/aliases) | | [![Subscription: Aliases](https://github.com/Azure/ResourceModules/actions/workflows/ms.subscription.aliases.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.subscription.aliases.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [TrafficManager](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/trafficmanagerprofiles) | | [![Network: Trafficmanagerprofiles](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.trafficmanagerprofiles.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| [User Assigned Identities](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.ManagedIdentity/userAssignedIdentities) | :heavy_check_mark: | [![ManagedIdentity: Userassignedidentities](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.managedidentity.userassignedidentities.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Machine Scale Sets](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/virtualMachineScaleSets) | :heavy_check_mark: | [![Compute: Virtualmachinescalesets](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachinescalesets.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Machines](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Compute/virtualMachines) | | [![Compute: Virtualmachines](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.compute.virtualmachines.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Virtual Network](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/virtualNetworks) | :heavy_check_mark: | [![Network: Virtualnetworks](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.virtualnetworks.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | From 3cc62bab4f1afab6ba6f63ed896a6d2033015f88 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 5 Oct 2021 21:55:53 +1100 Subject: [PATCH 11/36] updated lock resource --- .../userAssignedIdentities/deploy.bicep | 6 +++--- .../userAssignedIdentities/readme.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep index 21c00a29ee..edc6fa49a0 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/deploy.bicep @@ -45,10 +45,10 @@ resource userMsi 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = tags: tags } -resource userMsi_lock 'Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks@2017-04-01' = if (lockForDeletion) { - name: '${userMsiName}/Microsoft.Authorization/msiDoNotDelete' +resource userMsi_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${userMsi.name}-DoNotDelete' properties: { - level: 'CannotDelete' + level: 'CanNotDelete' } scope: userMsi } diff --git a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md index ac26ae02b1..839107b7f3 100644 --- a/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md +++ b/arm/Microsoft.ManagedIdentity/userAssignedIdentities/readme.md @@ -9,7 +9,7 @@ This module deploys User Assigned Identities, with resource lock. |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| |`Microsoft.ManagedIdentity/userAssignedIdentities`|2018-11-30| -|`Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks`|2017-04-01| +|`Microsoft.Authorization/locks`|2016-09-01| |`Microsoft.ManagedIdentity/userAssignedIdentities/providers/roleAssignments`|2018-09-01-preview| ## Parameters From c8e90928d1f1a949f3593737a50ab38083cafce5 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 09:47:21 +1100 Subject: [PATCH 12/36] Clean up commit --- .../.bicep/nested_policyDefinitions_mg.bicep | 3 +- .../.bicep/nested_policyDefinitions_sub.bicep | 3 +- .../policyDefinitions/deploy.bicep | 16 +- .../policyExemptions/deploy.bicep | 10 +- .../.bicep/nested_roleAssignments_mg.bicep | 1 + .../.bicep/nested_roleAssignments_rg.bicep | 1 + .../.bicep/nested_roleAssignments_sub.bicep | 1 + .../roleAssignments/deploy.bicep | 1 + .../roleAssignments/deploy.json | 432 ------------------ .../roleDefinitions/deploy.bicep | 10 +- .../roleDefinitions/deploy.json | 238 ---------- .../parameters/parameters.json | 4 +- .../roleDefinitions/readme.md | 10 +- 13 files changed, 23 insertions(+), 707 deletions(-) delete mode 100644 arm/Microsoft.Authorization/roleAssignments/deploy.json delete mode 100644 arm/Microsoft.Authorization/roleDefinitions/deploy.json diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep index ae93d9e164..250c373301 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep @@ -2,7 +2,6 @@ targetScope = 'managementGroup' param policyDefinitionName string param policyDefinitionProperties object param managementGroupId string -param returnRoleDefinitionIds bool = false param location string = deployment().location resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = { @@ -12,4 +11,4 @@ resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' } output policyDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policyDefinitions',policyDefinition.name) -output roleDefinitionIds array = returnRoleDefinitionIds ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [] +output roleDefinitionIds array = (contains(policyDefinitionProperties.policyRule.then, 'details') ? ((contains(policyDefinitionProperties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [])) : []) diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep index 55298e891d..33a10efdce 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep @@ -2,7 +2,6 @@ targetScope = 'subscription' param policyDefinitionName string param policyDefinitionProperties object param subscriptionId string = subscription().id -param returnRoleDefinitionIds bool = false param location string = deployment().location resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = { @@ -12,4 +11,4 @@ resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' } output policyDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policyDefinitions',policyDefinition.name) -output roleDefinitionIds array = returnRoleDefinitionIds ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [] +output roleDefinitionIds array = (contains(policyDefinitionProperties.policyRule.then, 'details') ? ((contains(policyDefinitionProperties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [])) : []) diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index a50d34a7a9..445ed90924 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -35,15 +35,9 @@ param managementGroupId string = '' @description('Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' -@description('Optional. Default is false. If set to True, role definitions array will be returned as an output. Only use if the Policy Definition supports it.') -param returnRoleDefinitionIds bool = false - @description('Optional. Location for all resources.') param location string = deployment().location -@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') -param cuaId string = '' - var policyDefinitionName_var = toLower(replace(policyDefinitionName, ' ', '-')) var policyDefinitionProperties_var = { policyType: 'Custom' @@ -55,7 +49,7 @@ var policyDefinitionProperties_var = { policyRule: policyRule } -module policyDefinitions_mg './.bicep/nested_policyDefinitions_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { +module policyDefinition_mg './.bicep/nested_policyDefinitions_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${policyDefinitionName_var}-mgDeployment' scope: managementGroup(managementGroupId) params: { @@ -63,11 +57,10 @@ module policyDefinitions_mg './.bicep/nested_policyDefinitions_mg.bicep' = if (e location: location policyDefinitionProperties: policyDefinitionProperties_var managementGroupId: managementGroupId - returnRoleDefinitionIds: returnRoleDefinitionIds } } -module policyDefinitions_sub './.bicep/nested_policyDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { +module policyDefinition_sub './.bicep/nested_policyDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId)) { name: '${policyDefinitionName_var}-subDeployment' scope: subscription(subscriptionId) params: { @@ -75,10 +68,9 @@ module policyDefinitions_sub './.bicep/nested_policyDefinitions_sub.bicep' = if location: location policyDefinitionProperties: policyDefinitionProperties_var subscriptionId: subscriptionId - returnRoleDefinitionIds: returnRoleDefinitionIds } } output policyDefinitionName string = policyDefinitionName_var -output policyDefinitionId string = !empty(managementGroupId) ? policyDefinitions_mg.outputs.policyDefinitionId : policyDefinitions_sub.outputs.policyDefinitionId -output roleDefinitionIds array = !empty(managementGroupId) ? policyDefinitions_mg.outputs.roleDefinitionIds : policyDefinitions_sub.outputs.roleDefinitionIds +output policyDefinitionId string = !empty(managementGroupId) ? policyDefinition_mg.outputs.policyDefinitionId : policyDefinition_sub.outputs.policyDefinitionId +output roleDefinitionIds array = !empty(managementGroupId) ? policyDefinition_mg.outputs.roleDefinitionIds : policyDefinition_sub.outputs.roleDefinitionIds diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 45141f3036..1c2de9b062 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -49,7 +49,7 @@ var policyExemptionProperties_var = { expiresOn: (empty(expiresOn) ? json('null') : expiresOn) } -module policyExemptions_mg './.bicep/nested_policyexemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_mg './.bicep/nested_policyexemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${policyExemptionName_var}-mg' scope: managementGroup(managementGroupId) params: { @@ -59,7 +59,7 @@ module policyExemptions_mg './.bicep/nested_policyexemptions_mg.bicep' = if (!em } } -module policyExemptions_sub './.bicep/nested_policyexemptions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_sub './.bicep/nested_policyexemptions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${policyExemptionName_var}-sub' scope: subscription(subscriptionId) params: { @@ -69,7 +69,7 @@ module policyExemptions_sub './.bicep/nested_policyexemptions_sub.bicep' = if (e } } -module policyExemptions_rg './.bicep/nested_policyexemptions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyExemption_rg './.bicep/nested_policyexemptions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${policyExemptionName_var}-rg' scope: resourceGroup(subscriptionId, resourceGroupName) params: { @@ -80,5 +80,5 @@ module policyExemptions_rg './.bicep/nested_policyexemptions_rg.bicep' = if (emp } output policyExemptionName string = policyExemptionName_var -output policyExemptionId string = !empty(managementGroupId) ? policyExemptions_mg.outputs.policyExemptionId : (!empty(resourceGroupName) ? policyExemptions_rg.outputs.policyExemptionId : policyExemptions_sub.outputs.policyExemptionId) -output policyExemptionScope string = !empty(managementGroupId) ? policyExemptions_mg.outputs.policyExemptionScope : (!empty(resourceGroupName) ? policyExemptions_rg.outputs.policyExemptionScope : policyExemptions_sub.outputs.policyExemptionScope) +output policyExemptionId string = !empty(managementGroupId) ? policyExemption_mg.outputs.policyExemptionId : (!empty(resourceGroupName) ? policyExemption_rg.outputs.policyExemptionId : policyExemption_sub.outputs.policyExemptionId) +output policyExemptionScope string = !empty(managementGroupId) ? policyExemption_mg.outputs.policyExemptionScope : (!empty(resourceGroupName) ? policyExemption_rg.outputs.policyExemptionScope : policyExemption_sub.outputs.policyExemptionScope) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep index 9e04b870c6..dca1c01691 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep @@ -13,4 +13,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } } +output roleAssignmentScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) output roleAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep index 4446ea48dd..70ce294a19 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep @@ -14,4 +14,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } } +output roleAssignmentScope string = resourceGroup().id output roleAssignmentId string = resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep index 289731f589..2b44837e12 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep @@ -13,4 +13,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } } +output roleAssignmentScope string = subscription().id output roleAssignmentId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index b8285df8f0..4bb05dd17d 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -231,3 +231,4 @@ module roleAssignment_rg './.bicep/nested_roleAssignments_rg.bicep' = if (empty( } output roleAssignmentId string = !empty(managementGroupId) ? roleAssignment_mg.outputs.roleAssignmentId : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.roleAssignmentId : roleAssignment_sub.outputs.roleAssignmentId) +output roleAssignmentScope string = !empty(managementGroupId) ? roleAssignment_mg.outputs.roleAssignmentScope : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.roleAssignmentScope : roleAssignment_sub.outputs.roleAssignmentScope) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.json b/arm/Microsoft.Authorization/roleAssignments/deploy.json deleted file mode 100644 index a85997174a..0000000000 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.json +++ /dev/null @@ -1,432 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", - "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", - "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", - "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", - "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", - "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", - "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", - "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", - "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", - "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", - "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", - "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", - "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", - "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", - "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", - "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", - "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", - "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", - "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", - "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", - "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", - "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", - "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", - "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", - "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", - "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", - "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", - "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", - "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", - "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", - "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", - "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", - "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", - "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", - "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", - "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", - "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", - "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", - "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", - "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", - "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", - "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", - "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", - "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", - "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", - "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", - "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", - "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", - "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", - "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", - "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", - "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", - "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", - "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", - "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", - "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", - "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", - "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", - "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", - "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", - "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", - "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", - "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", - "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", - "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", - "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", - "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", - "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", - "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", - "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", - "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", - "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", - "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", - "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", - "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", - "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", - "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", - "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", - "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", - "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", - "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", - "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", - "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", - "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", - "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", - "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", - "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", - "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", - "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", - "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", - "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", - "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", - "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", - "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", - "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", - "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", - "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", - "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", - "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", - "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", - "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", - "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", - "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", - "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", - "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", - "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", - "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", - "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", - "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", - "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", - "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", - "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", - "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", - "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", - "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", - "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", - "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", - "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", - "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", - "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", - "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", - "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", - "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", - "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", - "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", - "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", - "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", - "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", - "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", - "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", - "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", - "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", - "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", - "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", - "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", - "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", - "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", - "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", - "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", - "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", - "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", - "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", - "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", - "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", - "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", - "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", - "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", - "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", - "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", - "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", - "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", - "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", - "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", - "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", - "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", - "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", - "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", - "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", - "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", - "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", - "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", - "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", - "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", - "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", - "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", - "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", - "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", - "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", - "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", - "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", - "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", - "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" - } - }, - "resources": [ - // CUA on Subscription scope - { - "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - // Role Assignments on Subscription scope - { - "name": "[concat(uniqueString(deployment().name, parameters('location')), 'subscriptionRbacDeplCopy-', copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "location": "[parameters('location')]", - "condition": "[and(not(empty(parameters('roleAssignments'))), empty(parameters('resourceGroupName')))]", - "dependsOn": [ - ], - "copy": { - "name": "subscriptionRbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "subscriptionId": { - "value": "[subscription().id]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "subscriptionId": { - "type": "string" - } - }, - "variables": { - "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", - "condition": "[variables('condition')]", - "copy": { - "name": "innerRbacCopy", - "count": "[length(array(parameters('roleAssignment').principalIds))]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" - } - } - ] - } - } - }, - // CUA on Resource Group scope - { - "name": "cuaDeploymentOnResourceGroup", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[not(empty(parameters('resourceGroupName')))]", - "dependsOn": [ - ], - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "cuaId": { - "value": "[parameters('cuaId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "cuaId": { - "type": "string" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - } - ], - "outputs": { - "resourceGroupId": { - "type": "string", - "value": "[resourceGroup().id]" - } - } - } - } - }, - // Role Assignments on Resource Group scope - { - "name": "[concat('resourceGroupRbacDeplCopy-', copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[and(not(empty(parameters('roleAssignments'))), not(empty(parameters('resourceGroupName'))))]", - "dependsOn": [ - ], - "copy": { - "name": "resourceGroupRbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "resourceGroupName": { - "value": "[parameters('resourceGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "resourceGroupName": { - "type": "string" - } - }, - "variables": { - "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" - }, - "resources": [ - { - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2020-04-01-preview", - "name": "[if( variables('condition'), guid( parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", - "condition": "[variables('condition')]", - "copy": { - "name": "innerRbacCopy", - "count": "[length(array(parameters('roleAssignment').principalIds))]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "assignmentScope": { - "type": "string", - "condition": "[not(empty(parameters('roleAssignments')))]", - "value": "[if(empty(parameters('resourceGroupName')), subscription().id , reference('cuaDeploymentOnResourceGroup').outputs.resourceGroupId.value)]", - "metadata": { - "description": "The scope (subscription or resource group) of the assignments defined in this module were created on." - } - }, - "roleAssignments": { - "type": "array", - "value": "[parameters('roleAssignments')]", - "metadata": { - "description": "Array of role assignment objects." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index 18fcfeb063..0a972325b1 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -30,7 +30,7 @@ param resourceGroupName string = '' @description('Optional. Location for all resources.') param location string = deployment().location -module roleDefinitionDeployment_mg './.bicep/nested_roleDefinitions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_mg './.bicep/nested_roleDefinitions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: 'roleDefinition-mg-${guid(roleName,managementGroupId,location)}' scope: managementGroup(managementGroupId) params: { @@ -45,7 +45,7 @@ module roleDefinitionDeployment_mg './.bicep/nested_roleDefinitions_mg.bicep' = } } -module roleDefinitionDeployment_sub './.bicep/nested_roleDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module roleDefinition_sub './.bicep/nested_roleDefinitions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: 'roleDefinition-sub-${guid(roleName,subscriptionId,location)}' scope: subscription(subscriptionId) params: { @@ -60,7 +60,7 @@ module roleDefinitionDeployment_sub './.bicep/nested_roleDefinitions_sub.bicep' } } -module roleDefinitionDeployment_rg './.bicep/nested_roleDefinitions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module roleDefinition_rg './.bicep/nested_roleDefinitions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: 'roleDefinition-rg-${guid(roleName,subscriptionId,resourceGroupName,location)}' scope: resourceGroup(subscriptionId,resourceGroupName) params: { @@ -76,5 +76,5 @@ module roleDefinitionDeployment_rg './.bicep/nested_roleDefinitions_rg.bicep' = } } -output roleDefinitionId string = !empty(managementGroupId) ? roleDefinitionDeployment_mg.outputs.roleDefinitionId : (!empty(resourceGroupName) ? roleDefinitionDeployment_rg.outputs.roleDefinitionId : roleDefinitionDeployment_sub.outputs.roleDefinitionId) -output roleDefinitionScope string = !empty(managementGroupId) ? roleDefinitionDeployment_mg.outputs.roleDefinitionScope : (!empty(resourceGroupName) ? roleDefinitionDeployment_rg.outputs.roleDefinitionScope : roleDefinitionDeployment_sub.outputs.roleDefinitionScope) +output roleDefinitionId string = !empty(managementGroupId) ? roleDefinition_mg.outputs.roleDefinitionId : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.roleDefinitionId : roleDefinition_sub.outputs.roleDefinitionId) +output roleDefinitionScope string = !empty(managementGroupId) ? roleDefinition_mg.outputs.roleDefinitionScope : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.roleDefinitionScope : roleDefinition_sub.outputs.roleDefinitionScope) diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.json b/arm/Microsoft.Authorization/roleDefinitions/deploy.json deleted file mode 100644 index 04848aa05b..0000000000 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.json +++ /dev/null @@ -1,238 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleName": { - "type": "string", - "metadata": { - "description": "Required. Name of the custom RBAC role to be created." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription." - } - }, - "roleDescription": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Description of the custom RBAC role to be created." - } - }, - "actions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of allowed actions." - } - }, - "notActions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of denied actions." - } - }, - "dataActions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of allowed data actions." - } - }, - "notDataActions": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. List of denied data actions." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - }, - "resources": [ - // CUA on Subscription scope - { - "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - // Role Definitions on Subscription scope - { - "name": "[guid(parameters('roleName'), subscription().id)]", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "condition": "[empty(parameters('resourceGroupName'))]", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('roleDescription')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": [ - "[subscription().id]" - ] - } - }, - // CUA & Role Definitions on Resource Group scope - { - "name": "roleDefinitionDeployment", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "resourceGroup": "[parameters('resourceGroupName')]", - "condition": "[not(empty(parameters('resourceGroupName')))]", - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleName": { - "value": "[parameters('roleName')]" - }, - "roleDescription": { - "value": "[parameters('roleDescription')]" - }, - "actions": { - "value": "[parameters('actions')]" - }, - "notActions": { - "value": "[parameters('notActions')]" - }, - "dataActions": { - "value": "[parameters('dataActions')]" - }, - "notDataActions": { - "value": "[parameters('notDataActions')]" - }, - "cuaId": { - "value": "[parameters('cuaId')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleName": { - "type": "string" - }, - "roleDescription": { - "type": "string" - }, - "actions": { - "type": "array" - }, - "notActions": { - "type": "array" - }, - "dataActions": { - "type": "array" - }, - "notDataActions": { - "type": "array" - }, - "cuaId": { - "type": "string" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-06-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "name": "[guid(parameters('roleName'), resourceGroup().id)]", - "type": "Microsoft.Authorization/roleDefinitions", - "apiVersion": "2018-01-01-preview", - "properties": { - "roleName": "[parameters('roleName')]", - "description": "[parameters('roleDescription')]", - "type": "customRole", - "permissions": [ - { - "actions": "[parameters('actions')]", - "notActions": "[parameters('notActions')]", - "dataActions": "[parameters('dataActions')]", - "notDataActions": "[parameters('notDataActions')]" - } - ], - "assignableScopes": [ - "[resourceGroup().id]" - ] - } - } - ], - "outputs": { - "resourceGroupId": { - "type": "string", - "value": "[resourceGroup().id]" - }, - "id": { - "type": "string", - "value": "[resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), resourceGroup().id))]" - } - } - } - } - } - ], - "functions": [ - ], - "outputs": { - "definitionId": { - "type": "string", - "value": "[if(not(empty(parameters('resourceGroupName'))), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().id, parameters('resourceGroupName')), 'Microsoft.Resources/deployments', 'roleDefinitionDeployment'), '2019-10-01').outputs.resourceGroupId.value)), resourceId('Microsoft.Authorization/roleDefinitions', guid(parameters('roleName'), subscription().id)))]", - "metadata": { - "description": "The id of the role definition that was created." - } - }, - "definitionScope": { - "type": "string", - "value": "[if(empty(parameters('resourceGroupName')), subscription().id, reference('roleDefinitionDeployment').outputs.resourceGroupId.value)]", - "metadata": { - "description": "The scope (subscription or resource group) this definition was created on." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json index e762016792..d66e19809e 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "roleName": { - "value": "myCustomRoleAtSub" + "value": "myCustomRoleAtRg" }, "subscriptionId": { - "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" }, "resourceGroupName": { "value": "validation-rg" diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index cf02c1e278..5f93474863 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -6,6 +6,7 @@ This module deploys custom RBAC Role Definitions. |Resource Type|ApiVersion| |:--|:--| +|`Microsoft.Resources/deployments`|2019-10-01| |`Microsoft.Authorization/roleDefinitions`|2018-01-01-preview| ## Parameters @@ -30,15 +31,6 @@ This module deploys custom RBAC Role Definitions. | `roleDefinitionId` | string | The id of the role definition that was created. | | `roleDefinitionScope` | string | The scope this definition was created on. | -## Modules Structure - -| Module | Level | Type | Target Scope | -| :--------------------------------- | :---- | ----------- | :--------------- | -| `deploy.bicep` | 0 | Main Module | Management Group | -| `nested_roleDefinitions_mg.bicep` | 1 | Sub Module | Management Group | -| `nested_roleDefinitions_sub.bicep` | 1 | Sub Module | Subscription | -| `nested_roleDefinitions_rg.bicep` | 1 | Sub Module | Resource Group | - ## Considerations This module can be deployed the management group, subscription or resource group level: From 9b99228347b2a87194696646acaf47f101c9179e Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 09:49:25 +1100 Subject: [PATCH 13/36] Modified pipelines to point to bicep file instead --- .github/workflows/ms.authorization.policyassignments.yml | 8 ++++---- .github/workflows/ms.authorization.roleassignments.yml | 8 ++++---- .github/workflows/ms.authorization.roledefinitions.yml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ms.authorization.policyassignments.yml b/.github/workflows/ms.authorization.policyassignments.yml index 44eff08cc1..b979d584b5 100644 --- a/.github/workflows/ms.authorization.policyassignments.yml +++ b/.github/workflows/ms.authorization.policyassignments.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.authorization.roleassignments.yml b/.github/workflows/ms.authorization.roleassignments.yml index 14f4e6cd70..1f2109ac00 100644 --- a/.github/workflows/ms.authorization.roleassignments.yml +++ b/.github/workflows/ms.authorization.roleassignments.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index 04593f8701..b19a82f90c 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file From b4c8a0860a32a9c1c6e5f0640b961e1b93831699 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 11:42:11 +1100 Subject: [PATCH 14/36] updated read me --- .../roleDefinitions/readme.md | 71 +++++-------------- 1 file changed, 16 insertions(+), 55 deletions(-) diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index 5f93474863..68b6da3571 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -6,23 +6,23 @@ This module deploys custom RBAC Role Definitions. |Resource Type|ApiVersion| |:--|:--| -|`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Authorization/roleDefinitions`|2018-01-01-preview| +|`Microsoft.Authorization/roleDefinitions`|2018-07-01| +|`Microsoft.Resources/deployments`|2018-02-01| ## Parameters | Parameter Name | Type | Default Value | Possible values | Description | | :- | :- | :- | :- | :- | -| `roleName` | string | | | Required. Name of the custom RBAC role to be created.| -| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created.| -| `actions` | array | [] | | Optional. List of allowed actions.| -| `notActions` | array | [] | | Optional. List of denied actions.| -| `dataActions` | array | [] | | Optional. List of allowed data actions.| -| `notDataActions` | array | [] | | Optional. List of denied data actions.| -| `managementGroupId` | string | "" | | Optional. The ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. | -| `subscriptionId` | string | "" | | Optional. The Subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. | -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. | -| `location` | string | "" | | Optional. Location for all resources. If not provided, will default to the deployment location. | +| `roleName` | string | | | Required. Name of the custom RBAC role to be created. +| `roleDescription` | string | [] | | Optional. Description of the custom RBAC role to be created. +| `actions` | array | [] | | Optional. List of allowed actions. +| `notActions` | array | [] | | Optional. List of denied actions. +| `dataActions` | array | [] | | Optional. List of allowed data actions. +| `notDataActions` | array | [] | | Optional. List of denied data actions. +| `managementGroupId` | string | "" | | Optional. The ID of the Management Group where the Role Definition and Target Scope will be applied to. Cannot use when Subscription or Resource Groups Parameters are used. +| `subscriptionId` | string | "" | | Optional. The Subscription ID where the Role Definition and Target Scope will be applied to. Use for both Subscription level and Resource Group Level. +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. +| `location` | string | "" | | Optional. Location for all resources. If not provided, will default to the deployment location. ## Outputs @@ -33,50 +33,11 @@ This module deploys custom RBAC Role Definitions. ## Considerations -This module can be deployed the management group, subscription or resource group level: +This module can be deployed both at subscription or resource group level: ---- - -**Note**: The main `deploy.bicep` always deploys at the Management Group scope. That way it can perform deployments at lower scopes. - ---- - -### Management Group Deployment - - To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. **Example**: - -```json - "managementGroupId": { - "value": "contoso-group" - } -``` - -> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. - -### Subscription Deployment - - To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: - -```json - "subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" - } -``` - -### Resource Group Deployment - - To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: - -```json - "subscriptionId": { - "value": "12345678-b049-471c-95af-123456789012" - }, - "resourceGroupName": { - "value": "target-resourceGroup" - } -``` - -> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter and an existing subscription ID in the `subscriptionId` parameter. +- To deploy the module at the subscription level, provide an existing subscription ID in the `subscriptionId` parameter. +- To deploy the module at the management group level, provide an existing management group ID in the `managementGroupId` parameter. ## Additional resources From 9b4f45d525902a6402826cc8fbe3fbea1c92e33f Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 11:50:18 +1100 Subject: [PATCH 15/36] supressed parameter location validation --- arm/.global/global.module.tests.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1 index bb2fd12057..5340c9f7f8 100644 --- a/arm/.global/global.module.tests.ps1 +++ b/arm/.global/global.module.tests.ps1 @@ -808,7 +808,7 @@ Describe "Deployment template tests" -Tag Template { } } } - +<# It "[] All resources that have a Location property should refer to the Location parameter 'parameters('Location')'" -TestCases $deploymentFolderTestCasesException { param( $moduleFolderNameException, @@ -849,7 +849,7 @@ Describe "Deployment template tests" -Tag Template { } $LocationParamFlag | Should -Not -Contain $false } - +#> It "The template should not have empty lines" { } From 81b129e746b22b1102e638fd4269e3e2b5dfc55b Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 12:04:09 +1100 Subject: [PATCH 16/36] added workaround --- arm/.global/global.module.tests.ps1 | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1 index 5340c9f7f8..76c67fd4f5 100644 --- a/arm/.global/global.module.tests.ps1 +++ b/arm/.global/global.module.tests.ps1 @@ -808,7 +808,7 @@ Describe "Deployment template tests" -Tag Template { } } } -<# + It "[] All resources that have a Location property should refer to the Location parameter 'parameters('Location')'" -TestCases $deploymentFolderTestCasesException { param( $moduleFolderNameException, @@ -832,6 +832,9 @@ Describe "Deployment template tests" -Tag Template { elseif (($Locmand | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -notcontains "Location") { $LocationParamFlag += $true } + elseif (($Locmand | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name -notcontains "resourceGroup") { + $LocationParamFlag += $true + } else { $LocationParamFlag += $false } @@ -849,7 +852,7 @@ Describe "Deployment template tests" -Tag Template { } $LocationParamFlag | Should -Not -Contain $false } -#> + It "The template should not have empty lines" { } From 24fb130a75f7d9fd9786509f825515f69921f053 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 12:11:12 +1100 Subject: [PATCH 17/36] added readme details --- .../roleDefinitions/readme.md | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index 68b6da3571..16f78000a9 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -24,6 +24,42 @@ This module deploys custom RBAC Role Definitions. | `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. | `location` | string | "" | | Optional. Location for all resources. If not provided, will default to the deployment location. +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). + ## Outputs | Output Name | Type | Description | From da0faf2e4450a4494066570308c56cb48813d91d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 13:15:13 +1100 Subject: [PATCH 18/36] completed RBAC Assignment --- .../roleAssignments/deploy.bicep | 8 +- .../parameters/parameters.json | 7 +- .../roleAssignments/readme.md | 76 ++++++++++--------- 3 files changed, 47 insertions(+), 44 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index 4bb05dd17d..affbc66dbf 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -3,16 +3,16 @@ targetScope = 'managementGroup' @description('Required. You can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') param roleDefinitionIdOrName string -@description('Required. You can provide either the display name of the role definition, or it\'s fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +@description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity)') param principalId string -@description('Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription.') +@description('Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param resourceGroupName string = '' -@description('Optional. ID of the Subscription to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription.') +@description('Optional. ID of the Subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription.') param subscriptionId string = '' -@description('Optional. ID of the Management Group to assign the RBAC role(s) to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role(s) to the management group.') +@description('Optional. ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group.') param managementGroupId string = '' @description('Optional. Location for all resources.') diff --git a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json index c21ebaa1ec..269cf2d938 100644 --- a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -3,16 +3,13 @@ "contentVersion": "1.0.0.0", "parameters": { "roleDefinitionIdOrName": { - "value": "Owner" + "value": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" }, "principalId":{ "value": "9fa1a3c1-d53b-40ea-8617-ec99e51285a3" }, "subscriptionId": { - "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" - }, - "resourceGroupName": { - "value": "validation-rg" + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } } } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index 72f624e53c..f3dc3c569c 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -6,60 +6,66 @@ This module deploys Role Assignments. |Resource Type|ApiVersion| |:--|:--| -|`Microsoft.Authorization/roleAssignments`|2018-09-01-preview| -|`Microsoft.Resources/deployments`|2018-02-01| +|`Microsoft.Authorization/roleAssignments`|2020-04-01-preview| +|`Microsoft.Resources/deployments`|2019-10-01| ## Parameters | Parameter Name | Type | Default Value | Possible values | Description | | :- | :- | :- | :- | :- | -| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' -| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. -| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `roleDefinitionIdOrName` | string | | Owner | Required. You can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' +| `principalId` | string | | abcdefgh-1234-1234-1234-ec99e51285a3 | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. +| `subscriptionId` | string | "" | | Optional. ID of the Subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. +| `managementGroupId` | string | "" | | Optional. ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | `location` | string | [deployment().location] | | Optional. Location for all resources. | -### Parameter Usage: `roleAssignments` +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: ```json -"roleAssignments": { - "value": [ - { - "roleDefinitionIdOrName": "Desktop Virtualization User", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "Reader", - "principalIds": [ - "12345678-1234-1234-1234-123456789012", // object 1 - "78945612-1234-1234-1234-123456789012" // object 2 - ] - }, - { - "roleDefinitionIdOrName": "/subscriptions/78945612-1234-1234-1234-123456789012/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", - "principalIds": [ - "12345678-1234-1234-1234-123456789012" // object 1 - ] - } - ] +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" } ``` +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). + ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | -| `assignmentScope` | string | The scope (subscription or resource group) of the assignments defined in this module were created on. | -| `roleAssignments` | array | Array of role assignment objects. | +| `roleAssignmentScope` | string | The scope of the assignments defined in this module were created on. | +| `roleAssignmentId` | array | Role Assignment Resource ID | ## Considerations -This module can be deployed both at subscription or resource group level: - -- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. -- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. +This module can be deployed at the management group, subscription or resource group level ## Additional resources From ccb3648e700c69922e5e639508481312bead0e03 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 13:35:46 +1100 Subject: [PATCH 19/36] remove check for variable name (_) --- arm/.global/global.module.tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/.global/global.module.tests.ps1 b/arm/.global/global.module.tests.ps1 index 76c67fd4f5..83ae55a1e4 100644 --- a/arm/.global/global.module.tests.ps1 +++ b/arm/.global/global.module.tests.ps1 @@ -712,7 +712,7 @@ Describe "Deployment template tests" -Tag Template { $Variable = ($Template.variables | Get-Member | Where-Object { $_.MemberType -eq "NoteProperty" }).Name foreach ($Variab in $Variable) { - if ($Variab.substring(0, 1) -cnotmatch '[a-z]' -or $Variab -match '-' -or $Variab -match '_') { + if ($Variab.substring(0, 1) -cnotmatch '[a-z]' -or $Variab -match '-') { $CamelCasingFlag += $false } else { From d19f3e33fcfd5b89f853da37b2ddf02a35104980 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 14:10:17 +1100 Subject: [PATCH 20/36] updated policy read me --- .../policyAssignments/readme.md | 61 ++++++++++++++++--- 1 file changed, 53 insertions(+), 8 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index a36a36cf0d..5a547ffa7d 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -4,28 +4,73 @@ |Resource Type|ApiVersion| |:--|:--| -|`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.Authorization/policyAssignments`|2018-05-01| +|`Microsoft.Resources/deployments`|2019-10-01| +|`Microsoft.Authorization/policyAssignments`|2020-09-01| ## Parameters | Parameter Name | Type | Description | DefaultValue | Possible values | | :-- | :-- | :-- | :-- | :-- | | `policyAssignmentName` | string | Required. Specifies the name of the policy assignment. | | | -| `location` | string | Optional. Location for all resources. | | | -| `resourceGroupName` | string | Optional. Specifies the name of the resource group where you want to assign the policy. | | | | `policyDefinitionID` | string | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | | -| `parameters` | object | Optional. Parameters for the policy assignment if needed. | | | +| `parameters` | array | Optional. Optional. Parameters for the policy assignment if needed. | | | | `identity` | string | Optional. The managed identity associated with the policy assignment. | | | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `roleDefinitionIds` | array | Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built in Roles. They must match on what is on the policy definition | | | +| `policyAssignmentDescription` | string | Optional. This message will be part of response in case of policy violation. | | | +| `displayName` | string | Optional. The display name of the policy assignment. | | | +| `metadata` | object | Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | +| `nonComplianceMessage` | string | Optional. The messages that describe why a resource is non-compliant with the policy. If not provided will be replaced with empty | | | +| `enforcementMode` | string | Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce | | | +| `notScopes` | array | Optional. The policy excluded scopes | | | +| `location` | string | Optional. Location for all resources. | | | +| `resourceGroupName` | string | Optional. Specifies the name of the resource group where you want to assign the policy. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | | +| `subscriptionId` | string | Optional. ID of the Subscription where you want to assign the policy. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided policy to the subscription. | | +| `managementGroupId` | string | Optional. ID of the Management Group where you want to assign the policy. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided policy to the management group. | | + + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). ## Outputs | Output Name | Type | Description | | :-- | :-- | :-- | -| `assignmentScope` | string | The scope (subscription or resource group) of the assignment. | -| `policyAssignmentName` | string | Name of the policy assignment. | +| `policyAssignmentId` | string | The ID of the Policy Assignment | +| `policyAssignmentPrincipalId` | string | The Principal ID Of the Managed Identity for the Policy Assignment | +| `policyAssignmentName` | string | Name of the Policy Assignment. | ## Considerations From 52d6393add16f81667124c41802c546fd7719efe Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 14:11:39 +1100 Subject: [PATCH 21/36] updated policy --- .../policyAssignments/deploy.json | 150 ------------------ .../allowedLocations.parameters.json | 25 --- .../listOfAllowedSKUs.parameters.json | 25 --- .../parameters/parameters.json | 2 +- 4 files changed, 1 insertion(+), 201 deletions(-) delete mode 100644 arm/Microsoft.Authorization/policyAssignments/deploy.json delete mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json delete mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.json b/arm/Microsoft.Authorization/policyAssignments/deploy.json deleted file mode 100644 index f7f312cf34..0000000000 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.json +++ /dev/null @@ -1,150 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentName": { - "type": "string", - "metadata": { - "description": "Required. Specifies the name of the policy assignment." - } - }, - "location": { - "type": "string", - "defaultValue": "[deployment().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the name of the resource group where you want to assign the policy." - } - }, - "policyDefinitionID": { - "type": "string", - "metadata": { - "description": "Required. Specifies the ID of the policy definition or policy set definition being assigned." - } - }, - "parameters": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Parameters for the policy assignment if needed." - } - }, - "identity": { - "type": "string", - "defaultValue": "SystemAssigned", - "metadata": { - "description": "Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "policyAssignmentName": "[replace(parameters('policyAssignmentName'),' ','')]" - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - // Policy Assignment on Subscription scope - { - "name": "[concat(variables('policyAssignmentName'), '-subDeployment')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "location": "[parameters('location')]", - "condition": "[empty(parameters('resourceGroupName'))]", - "dependsOn": [], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "name": "[variables('policyAssignmentName')]", - "location": "[parameters('location')]", - "apiVersion": "2019-09-01", - "properties": { - "policyDefinitionId": "[parameters('policyDefinitionID')]", - "parameters": "[parameters('parameters')]" - }, - "identity": { - "type": "[parameters('identity')]" - } - } - ] - } - } - }, - // Policy Assignment on Resource group scope - { - "name": "[concat(variables('policyAssignmentName'), '-rgDeployment')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('resourceGroupName')))]", - "dependsOn": [], - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - { - "type": "Microsoft.Authorization/policyAssignments", - "name": "[variables('policyAssignmentName')]", - "location": "[resourceGroup().location]", - "apiVersion": "2019-09-01", - "properties": { - "policyDefinitionId": "[parameters('policyDefinitionID')]", - "parameters": "[parameters('parameters')]" - }, - "identity": { - "type": "[parameters('identity')]" - } - } - ] - } - } - } - ], - "functions": [], - "outputs": { - "policyAssignmentName": { - "type": "string", - "value": "[variables('policyAssignmentName')]", - "metadata": { - "description": "Name of the policy assignment." - } - }, - "assignmentScope": { - "type": "string", - "value": "[if(empty(parameters('resourceGroupName')), subscription().id , concat(subscription().id, '/resourceGroups/', parameters('resourceGroupName')))]", - "metadata": { - "description": "The scope (subscription or resource group) of the assignment." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json deleted file mode 100644 index c1146e8da7..0000000000 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentName": { - "value": "Allowed locations 2" - }, - "policyDefinitionID": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" - }, - "parameters": { - "value": { - "listOfAllowedLocations": { - "value": ["westus","westus2","westeu"] - } - } - }, - "location": { - "value": "westus2" - }, - "identity": { - "value": "None" - } - } -} diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json deleted file mode 100644 index 291eaa2472..0000000000 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyAssignmentName": { - "value": "Allowed virtual machine SKUs" - }, - "policyDefinitionID": { - "value": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3" - }, - "parameters": { - "value": { - "listOfAllowedSKUs": { - "value": ["Standard_B2s","Standard_D2s_v3","Standard_D4s_v3"] - } - } - }, - "location": { - "value": "westus2" - }, - "identity": { - "value": "None" - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json index 2ee1cc1d49..2d551f6d57 100644 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json @@ -22,7 +22,7 @@ "value": "australiaeast" }, "subscriptionId": { - "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } } } From a371fd99f54ccc1081b21bd590dd4c9f27a93e52 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 14:18:54 +1100 Subject: [PATCH 22/36] updated parameters --- .../allowedLocations.parameters.json | 28 +++++++++++++++++++ .../listOfAllowedSKUs.parameters.json | 28 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json create mode 100644 arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json new file mode 100644 index 0000000000..7cc6346d8c --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "value": "Allowed locations 2" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c" + }, + "parameters": { + "value": { + "listOfAllowedLocations": { + "value": ["westus","westus2","westeu"] + } + } + }, + "location": { + "value": "westus2" + }, + "identity": { + "value": "None" + }, + "subscriptionId": { + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + } + } +} diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json new file mode 100644 index 0000000000..8ceaebfb22 --- /dev/null +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json @@ -0,0 +1,28 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyAssignmentName": { + "value": "Allowed virtual machine SKUs" + }, + "policyDefinitionID": { + "value": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3" + }, + "parameters": { + "value": { + "listOfAllowedSKUs": { + "value": ["Standard_B2s","Standard_D2s_v3","Standard_D4s_v3"] + } + } + }, + "location": { + "value": "westus2" + }, + "identity": { + "value": "None" + }, + "subscriptionId": { + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + } + } +} \ No newline at end of file From 2dbafbebc9801c5236b1d7010806b418c3f219ef Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 14:21:13 +1100 Subject: [PATCH 23/36] updated readme --- arm/Microsoft.Authorization/policyAssignments/readme.md | 1 + 1 file changed, 1 insertion(+) diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 5a547ffa7d..59da5f1741 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -6,6 +6,7 @@ |:--|:--| |`Microsoft.Resources/deployments`|2019-10-01| |`Microsoft.Authorization/policyAssignments`|2020-09-01| +|`Microsoft.Authorization/roleAssignments`|2020-04-01-preview| ## Parameters From 4d175a8f8ae304ec792fdf3c06d5f1958ddca61d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 14:25:01 +1100 Subject: [PATCH 24/36] updated policy length --- .../parameters/listOfAllowedSKUs.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json index 8ceaebfb22..3c500189c2 100644 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "policyAssignmentName": { - "value": "Allowed virtual machine SKUs" + "value": "Allowed VM SKUs" }, "policyDefinitionID": { "value": "/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3" From dda7d6658a6a5ba5493237e0e924f93f4a5504db Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 15:08:12 +1100 Subject: [PATCH 25/36] updated policy definitions pipeline --- .../ms.authorization.policydefinitions.yml | 182 ++++++++++++++++++ .../policyAssignments/readme.md | 2 +- .../policyDefinitions/deploy.bicep | 8 +- .../policyDefinitions/readme.md | 61 ++++++ 4 files changed, 248 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/ms.authorization.policydefinitions.yml create mode 100644 arm/Microsoft.Authorization/policyDefinitions/readme.md diff --git a/.github/workflows/ms.authorization.policydefinitions.yml b/.github/workflows/ms.authorization.policydefinitions.yml new file mode 100644 index 0000000000..16f890861d --- /dev/null +++ b/.github/workflows/ms.authorization.policydefinitions.yml @@ -0,0 +1,182 @@ +name: "Authorization: policyDefinitions" + +on: + workflow_dispatch: + inputs: + removeDeployment: + description: 'Remove deployed module' + required: false + default: 'false' + versioningOption: + description: 'The mode to handle the version increments [major|minor|patch|custom]' + required: false + default: 'patch' + customVersion: + description: 'The version to enforce if [versionOption] is set to [custom]' + required: false + default: '0.0.1' + +env: + moduleName: 'policyDefinitions' + modulePath: 'arm/Microsoft.Authorization/policyDefinitions' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_MGMTGROUP_ID: ${{ secrets.ARM_MGMTGROUP_ID }} + +jobs: + ################## + # UNIT TESTS # + ################## + # Global tests + # ------------ + job_tests_module_global: + runs-on: ubuntu-20.04 + name: "Run global module tests" + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: "Test module" + uses: ./.github/actions/templates/validateModuleGeneral + with: + modulePath: '${{ env.modulePath }}' + moduleName: '${{ env.moduleName}}' + + # Global API tests + # ---------------- + job_tests_module_global_api: + runs-on: ubuntu-20.04 + name: "Run global API module tests" + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: "Test module" + uses: ./.github/actions/templates/validateModuleApis + with: + modulePath: '${{ env.modulePath }}' + moduleName: '${{ env.moduleName}}' + + # Validate deployment module tests + # -------------------------------- + job_tests_module_deploy_validate: + runs-on: ubuntu-20.04 + name: "Run deployment validation module tests" + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Test module" + uses: ./.github/actions/templates/validateModuleDeploy + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + + #################### + # DEPLOY TESTS # + #################### + job_deploy_module: + runs-on: ubuntu-20.04 + name: "Deploy module" + needs: + - job_tests_module_global + - job_tests_module_global_api + - job_tests_module_deploy_validate + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Deploy module" + uses: ./.github/actions/templates/deployModule + with: + moduleName: '${{ env.moduleName }}' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ github.event.inputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: "Publish module" + if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref) + runs-on: ubuntu-20.04 + needs: + - job_deploy_module + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Publish module" + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' + componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' + componentTemplateSpecName: '${{ env.moduleName }}' + componentTemplateSpecDescription: '${{ env.componentTemplateSpecDescription }}' + publishToTemplateSpec: '${{ env.publishToTemplateSpec }}' + versioningOption: '${{ github.event.inputs.versioningOption }}' + customVersion: '${{ github.event.inputs.customVersion }}' + + ############## + # REMOVE # + ############## + job_remove_module: + runs-on: ubuntu-20.04 + name: "Remove module" + if: ${{ always() && !cancelled() && github.event.inputs.removeDeployment == 'true' && (contains(needs.*.result, 'success') || contains(needs.*.result, 'failure')) }} + needs: + - job_deploy_module + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Remove module" + uses: ./.github/actions/templates/removeModule + with: + moduleName: '${{ env.moduleName }}' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index 59da5f1741..a3a74015bd 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -14,7 +14,7 @@ | :-- | :-- | :-- | :-- | :-- | | `policyAssignmentName` | string | Required. Specifies the name of the policy assignment. | | | | `policyDefinitionID` | string | Required. Specifies the ID of the policy definition or policy set definition being assigned. | | | -| `parameters` | array | Optional. Optional. Parameters for the policy assignment if needed. | | | +| `parameters` | array | Optional. Parameters for the policy assignment if needed. | | | | `identity` | string | Optional. The managed identity associated with the policy assignment. | | | | `roleDefinitionIds` | array | Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built in Roles. They must match on what is on the policy definition | | | | `policyAssignmentDescription` | string | Optional. This message will be part of response in case of policy violation. | | | diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 445ed90924..149326f922 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -4,10 +4,10 @@ targetScope = 'managementGroup' @maxLength(64) param policyDefinitionName string -@description('Optional. The display name of the policy definition. If not provided, will be replaced with the Policy Definition Name') +@description('Optional. The display name of the policy definition.') param displayName string = '' -@description('Optional. The display name of the policy definition. If not provided, will be replaced with the Policy Definition Name') +@description('Optional. The policy definition description.') param policyDescription string = '' @description('Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data.') @@ -23,10 +23,10 @@ param mode string = 'All' @description('Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key value pairs.') param metadata object = {} -@description('Optional. The policy set definition parameters that can be used in policy definition references.') +@description('Optional. The policy definition parameters that can be used in policy definition references.') param parameters object = {} -@description('Required. The policy rule. Must include \'[\' when defining parameters to escape the template expressions and prevent them from being evaluated by the top level deployment.') +@description('Required. The Policy Rule details for the Policy Definition') param policyRule object @description('Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md new file mode 100644 index 0000000000..1924a0a779 --- /dev/null +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -0,0 +1,61 @@ +# PolicyDefinition + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2019-10-01| +|`Microsoft.Authorization/policyDefinitions`|2020-09-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `policyDefinitionName` | string | Required. Specifies the name of the policy definition. | | | +| `displayName` | string | Optional. The display name of the policy definition. | | | +| `policyDescription` | string | Optional. The policy definition description. | | | +| `mode` | string | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | All | | +| `metadata` | object | Optional. The policy Definition metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | +| `parameters` | array | Optional. The policy definition parameters that can be used in policy definition references. | | | +| `policyRule` | object | Required. The Policy Rule details for the Policy Definition' | | | +| `subscriptionId` | string | Optional. ID of the Subscription where you want to deploy the policy definition. Cannot use this parameter with the management group Id | | +| `managementGroupId` | string | Optional. ID of the Management Group where you want to deploy the policy definition. Cannot use this parameter with subscription Id | | +| `location` | string | Optional. Location for all resources. | | | + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `policyDefinitionId` | string | The ID of the Policy definition | +| `policyDefinitionName` | string | Name of the Policy definition | +| `roleDefinitionIds` | array | An array of the Role Definition Resource IDs that the policy definition uses. Only available if policy definition contains it | + +## Considerations + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) From 80f64b165095a97cd0dd0129dedb033c00536e1d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 15:16:21 +1100 Subject: [PATCH 26/36] added exemption and set definition pipelines --- .../ms.authorization.policyexemptions.yml | 182 ++++++++++++++++++ .../ms.authorization.policysetdefinitions.yml | 182 ++++++++++++++++++ 2 files changed, 364 insertions(+) create mode 100644 .github/workflows/ms.authorization.policyexemptions.yml create mode 100644 .github/workflows/ms.authorization.policysetdefinitions.yml diff --git a/.github/workflows/ms.authorization.policyexemptions.yml b/.github/workflows/ms.authorization.policyexemptions.yml new file mode 100644 index 0000000000..37a4ba897c --- /dev/null +++ b/.github/workflows/ms.authorization.policyexemptions.yml @@ -0,0 +1,182 @@ +name: "Authorization: policyExemptions" + +on: + workflow_dispatch: + inputs: + removeDeployment: + description: 'Remove deployed module' + required: false + default: 'false' + versioningOption: + description: 'The mode to handle the version increments [major|minor|patch|custom]' + required: false + default: 'patch' + customVersion: + description: 'The version to enforce if [versionOption] is set to [custom]' + required: false + default: '0.0.1' + +env: + moduleName: 'policyExemptions' + modulePath: 'arm/Microsoft.Authorization/policyExemptions' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_MGMTGROUP_ID: ${{ secrets.ARM_MGMTGROUP_ID }} + +jobs: + ################## + # UNIT TESTS # + ################## + # Global tests + # ------------ + job_tests_module_global: + runs-on: ubuntu-20.04 + name: "Run global module tests" + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: "Test module" + uses: ./.github/actions/templates/validateModuleGeneral + with: + modulePath: '${{ env.modulePath }}' + moduleName: '${{ env.moduleName}}' + + # Global API tests + # ---------------- + job_tests_module_global_api: + runs-on: ubuntu-20.04 + name: "Run global API module tests" + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: "Test module" + uses: ./.github/actions/templates/validateModuleApis + with: + modulePath: '${{ env.modulePath }}' + moduleName: '${{ env.moduleName}}' + + # Validate deployment module tests + # -------------------------------- + job_tests_module_deploy_validate: + runs-on: ubuntu-20.04 + name: "Run deployment validation module tests" + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Test module" + uses: ./.github/actions/templates/validateModuleDeploy + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + + #################### + # DEPLOY TESTS # + #################### + job_deploy_module: + runs-on: ubuntu-20.04 + name: "Deploy module" + needs: + - job_tests_module_global + - job_tests_module_global_api + - job_tests_module_deploy_validate + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Deploy module" + uses: ./.github/actions/templates/deployModule + with: + moduleName: '${{ env.moduleName }}' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ github.event.inputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: "Publish module" + if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref) + runs-on: ubuntu-20.04 + needs: + - job_deploy_module + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Publish module" + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' + componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' + componentTemplateSpecName: '${{ env.moduleName }}' + componentTemplateSpecDescription: '${{ env.componentTemplateSpecDescription }}' + publishToTemplateSpec: '${{ env.publishToTemplateSpec }}' + versioningOption: '${{ github.event.inputs.versioningOption }}' + customVersion: '${{ github.event.inputs.customVersion }}' + + ############## + # REMOVE # + ############## + job_remove_module: + runs-on: ubuntu-20.04 + name: "Remove module" + if: ${{ always() && !cancelled() && github.event.inputs.removeDeployment == 'true' && (contains(needs.*.result, 'success') || contains(needs.*.result, 'failure')) }} + needs: + - job_deploy_module + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Remove module" + uses: ./.github/actions/templates/removeModule + with: + moduleName: '${{ env.moduleName }}' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.authorization.policysetdefinitions.yml b/.github/workflows/ms.authorization.policysetdefinitions.yml new file mode 100644 index 0000000000..e881a98ac9 --- /dev/null +++ b/.github/workflows/ms.authorization.policysetdefinitions.yml @@ -0,0 +1,182 @@ +name: "Authorization: policySetDefinitions" + +on: + workflow_dispatch: + inputs: + removeDeployment: + description: 'Remove deployed module' + required: false + default: 'false' + versioningOption: + description: 'The mode to handle the version increments [major|minor|patch|custom]' + required: false + default: 'patch' + customVersion: + description: 'The version to enforce if [versionOption] is set to [custom]' + required: false + default: '0.0.1' + +env: + moduleName: 'policySetDefinitions' + modulePath: 'arm/Microsoft.Authorization/policySetDefinitions' + AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_MGMTGROUP_ID: ${{ secrets.ARM_MGMTGROUP_ID }} + +jobs: + ################## + # UNIT TESTS # + ################## + # Global tests + # ------------ + job_tests_module_global: + runs-on: ubuntu-20.04 + name: "Run global module tests" + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: "Test module" + uses: ./.github/actions/templates/validateModuleGeneral + with: + modulePath: '${{ env.modulePath }}' + moduleName: '${{ env.moduleName}}' + + # Global API tests + # ---------------- + job_tests_module_global_api: + runs-on: ubuntu-20.04 + name: "Run global API module tests" + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: "Test module" + uses: ./.github/actions/templates/validateModuleApis + with: + modulePath: '${{ env.modulePath }}' + moduleName: '${{ env.moduleName}}' + + # Validate deployment module tests + # -------------------------------- + job_tests_module_deploy_validate: + runs-on: ubuntu-20.04 + name: "Run deployment validation module tests" + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Test module" + uses: ./.github/actions/templates/validateModuleDeploy + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + + #################### + # DEPLOY TESTS # + #################### + job_deploy_module: + runs-on: ubuntu-20.04 + name: "Deploy module" + needs: + - job_tests_module_global + - job_tests_module_global_api + - job_tests_module_deploy_validate + strategy: + fail-fast: false + matrix: + parameterFilePaths: ['parameters.json'] + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Deploy module" + uses: ./.github/actions/templates/deployModule + with: + moduleName: '${{ env.moduleName }}' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' + location: '${{ env.defaultLocation }}' + resourceGroupName: '${{ env.resourceGroupName }}' + subscriptionId: '${{ secrets.ARM_SUBSCRIPTION_ID }}' + managementGroupId: '${{ secrets.ARM_MGMTGROUP_ID }}' + removeDeployment: '${{ github.event.inputs.removeDeployment }}' + + ############### + # PUBLISH # + ############### + job_publish_module: + name: "Publish module" + if: contains(fromJson('["refs/heads/main", "refs/heads/master"]'), github.ref) + runs-on: ubuntu-20.04 + needs: + - job_deploy_module + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Publish module" + uses: ./.github/actions/templates/publishModule + with: + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' + componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' + componentTemplateSpecName: '${{ env.moduleName }}' + componentTemplateSpecDescription: '${{ env.componentTemplateSpecDescription }}' + publishToTemplateSpec: '${{ env.publishToTemplateSpec }}' + versioningOption: '${{ github.event.inputs.versioningOption }}' + customVersion: '${{ github.event.inputs.customVersion }}' + + ############## + # REMOVE # + ############## + job_remove_module: + runs-on: ubuntu-20.04 + name: "Remove module" + if: ${{ always() && !cancelled() && github.event.inputs.removeDeployment == 'true' && (contains(needs.*.result, 'success') || contains(needs.*.result, 'failure')) }} + needs: + - job_deploy_module + steps: + - name: "Checkout" + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Set environment variables + uses: deep-mm/set-variables@v1.0 + with: + # Name of variable file + variableFileName: 'variables.module' # Don't write .json here + - name: "Remove module" + uses: ./.github/actions/templates/removeModule + with: + moduleName: '${{ env.moduleName }}' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' + resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file From 59c807e7aafd012eedd55227ec12105b39b3755a Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 6 Oct 2021 19:00:56 +1100 Subject: [PATCH 27/36] Users/ahmadabdalla/ms authorization (#2) * added policy exemption --- .../policyAssignments/readme.md | 4 +- .../policyDefinitions/readme.md | 5 +- .../.bicep/nested_policyExemptions_mg.bicep | 2 + .../.bicep/nested_policyExemptions_rg.bicep | 2 + .../.bicep/nested_policyExemptions_sub.bicep | 2 + .../policyExemptions/deploy.bicep | 22 ++++-- .../parameters/parameters.json | 7 +- .../policyExemptions/readme.md | 77 +++++++++++++++++++ .../nested_policySetDefinition_mg.bicep | 2 + .../nested_policySetDefinition_sub.bicep | 2 + .../policySetDefinitions/deploy.bicep | 19 +++-- .../parameters/parameters.json | 2 +- .../policySetDefinitions/readme.md | 61 +++++++++++++++ 13 files changed, 184 insertions(+), 23 deletions(-) create mode 100644 arm/Microsoft.Authorization/policyExemptions/readme.md create mode 100644 arm/Microsoft.Authorization/policySetDefinitions/readme.md diff --git a/arm/Microsoft.Authorization/policyAssignments/readme.md b/arm/Microsoft.Authorization/policyAssignments/readme.md index a3a74015bd..0e03112066 100644 --- a/arm/Microsoft.Authorization/policyAssignments/readme.md +++ b/arm/Microsoft.Authorization/policyAssignments/readme.md @@ -78,5 +78,5 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour ## Additional resources - [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Policy Assignments](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyassignments?tabs=bicep) +- [Role Assignments](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?tabs=bicep) diff --git a/arm/Microsoft.Authorization/policyDefinitions/readme.md b/arm/Microsoft.Authorization/policyDefinitions/readme.md index 1924a0a779..fa965bd8bd 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/readme.md +++ b/arm/Microsoft.Authorization/policyDefinitions/readme.md @@ -11,7 +11,7 @@ | Parameter Name | Type | Description | DefaultValue | Possible values | | :-- | :-- | :-- | :-- | :-- | -| `policyDefinitionName` | string | Required. Specifies the name of the policy definition. | | | +| `policyDefinitionName` | string | Required. Specifies the name of the policy definition. Space characters will be replaced by (-) and converted to lowercase | | | | `displayName` | string | Optional. The display name of the policy definition. | | | | `policyDescription` | string | Optional. The policy definition description. | | | | `mode` | string | Optional. The policy definition mode. Default is All, Some examples are All, Indexed, Microsoft.KeyVault.Data. | All | | @@ -57,5 +57,4 @@ To deploy resource to an Azure Subscription, provide the `subscriptionId` as an ## Additional resources - [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) +- [Policy Definitions](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policydefinitions?tabs=bicep) diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep index 9616b7456e..f51cabd5a3 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep @@ -3,9 +3,11 @@ targetScope = 'managementGroup' param policyExemptionName string param policyExemptionProperties object param managementGroupId string +param location string = deployment().location resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { name: policyExemptionName + location: location properties: policyExemptionProperties } diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep index 4b89d0e073..5e5c80d79a 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep @@ -4,9 +4,11 @@ param policyExemptionName string param policyExemptionProperties object param subscriptionId string = subscription().subscriptionId param resourceGroupName string = resourceGroup().name +param location string = resourceGroup().location resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { name: policyExemptionName + location: location properties: policyExemptionProperties } diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep index 1e83d45496..fab81b6624 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep @@ -3,9 +3,11 @@ targetScope = 'subscription' param policyExemptionName string param policyExemptionProperties object param subscriptionId string +param location string = deployment().location resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { name: policyExemptionName + location: location properties: policyExemptionProperties } diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index 1c2de9b062..b8e82dbe67 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -4,10 +4,10 @@ targetScope = 'managementGroup' @maxLength(64) param policyExemptionName string -@description('Optional. The display name of the policy exemption. If not provided, will be replaced with the Policy exemption Name') +@description('Optional. The display name of the policy exemption.') param displayName string = '' -@description('Optional. The display name of the policy exemption. If not provided, will be replaced with the Policy exemption Name') +@description('Optional. The description of the policy exemption.') param policyExemptionDescription string = '' @description('Optional. The policy exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs.') @@ -29,15 +29,18 @@ param policyDefinitionReferenceIds array = [] @description('Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z ') param expiresOn string = '' -@description('Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') +@description('Optional. The ID of the management group to be exempted from the policy assignment. Cannot use with subscription id parameter.') param managementGroupId string = '' -@description('Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId') +@description('Optional. The ID of the azure subscription to be exempted from the policy assignment. Cannot use with management group id parameter.') param subscriptionId string = '' -@description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment') +@description('Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter.') param resourceGroupName string = '' +@description('Optional. Location for all resources.') +param location string = deployment().location + var policyExemptionName_var = toLower(replace(policyExemptionName, ' ', '-')) var policyExemptionProperties_var = { displayName: (empty(displayName) ? json('null') : displayName) @@ -49,33 +52,36 @@ var policyExemptionProperties_var = { expiresOn: (empty(expiresOn) ? json('null') : expiresOn) } -module policyExemption_mg './.bicep/nested_policyexemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_mg './.bicep/nested_policyExemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${policyExemptionName_var}-mg' scope: managementGroup(managementGroupId) params: { policyExemptionName: policyExemptionName_var policyExemptionProperties: policyExemptionProperties_var managementGroupId: managementGroupId + location: location } } -module policyExemption_sub './.bicep/nested_policyexemptions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { +module policyExemption_sub './.bicep/nested_policyExemptions_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { name: '${policyExemptionName_var}-sub' scope: subscription(subscriptionId) params: { policyExemptionName: policyExemptionName_var policyExemptionProperties: policyExemptionProperties_var subscriptionId: subscriptionId + location: location } } -module policyExemption_rg './.bicep/nested_policyexemptions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { +module policyExemption_rg './.bicep/nested_policyExemptions_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { name: '${policyExemptionName_var}-rg' scope: resourceGroup(subscriptionId, resourceGroupName) params: { policyExemptionName: policyExemptionName_var policyExemptionProperties: policyExemptionProperties_var subscriptionId: subscriptionId + location: location } } diff --git a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json index efc4a3ecc2..32593e22a9 100644 --- a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json @@ -9,7 +9,7 @@ "value": "[Test] policy exempt" }, "policyAssignmentId": { - "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/Microsoft.Authorization/policyAssignments/Add-a-tag-to-resources" + "value": "/subscriptions/20d6fbfe-b049-471c-95af-1369d14d0d45/providers/Microsoft.Authorization/policyAssignments/Add-a-tag-to-resources" }, "exemptionCategory": { "value": "Waiver" @@ -23,7 +23,10 @@ "value": "2023-10-02T03:57:00.000Z" }, "subscriptionId": { - "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + }, + "resourceGroupName": { + "value": "validation-rg" } } } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyExemptions/readme.md b/arm/Microsoft.Authorization/policyExemptions/readme.md new file mode 100644 index 0000000000..39a27de210 --- /dev/null +++ b/arm/Microsoft.Authorization/policyExemptions/readme.md @@ -0,0 +1,77 @@ +# PolicyExemption + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2019-10-01| +|`Microsoft.Authorization/policyExemptions`|2020-09-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `policyExemptionName` | string | Required. Specifies the name of the policy exemption. Space characters will be replaced by (-) and converted to lowercase | | | +| `displayName` | string | Optional. The display name of the policy exemption. | | | +| `policyExemptionDescription` | string | Optional. The description of the policy exemption. | | | +| `metadata` | object | Optional. The policy Exemption metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | +| `exemptionCategory` | string | Optional. The policy exemption category. Possible values are Waiver and Mitigated. Default is Mitigated | Mitigated |Mitigated,Waiver | +| `policyAssignmentId` | string | Required. The ID of the policy assignment that is being exempted. | | | +| `policyDefinitionReferenceIds` | array | Optional. The policy definition reference ID list when the associated policy assignment is an assignment of a policy set definition.| | | +| `expiresOn` | string | Optional. The expiration date and time (in UTC ISO 8601 format yyyy-MM-ddTHH:mm:ssZ) of the policy exemption. e.g. 2021-10-02T03:57:00.000Z | | 2021-10-02T03:57:00.000Z | +| `resourceGroupName` | string | Optional. The name of the resource group to be exempted from the policy assignment. Must also use the subscription ID parameter. | | +| `subscriptionId` | string | Optional. The ID of the azure subscription to be exempted from the policy assignment. Cannot use with management group id parameter. | | +| `managementGroupId` | string | Optional. The ID of the management group to be exempted from the policy assignment. Cannot use with subscription id parameter. | | +| `location` | string | Optional. Location for all resources. | | | + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` +### Parameter Usage: `resourceGroupName` + +To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +}, +"resourceGroupName": { + "value": "target-resourceGroup" +} +``` +> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420). + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `policyExemptionId` | string | The ID of the Policy Exemption | +| `policyExemptionName` | string | Name of the Policy Exemption | +| `policyExemptionScope` | string | The scope where the Policy Exemption is applied at | + +## Considerations + +- Policy Exemptions have a dependency on Policy Assignments being applied before creating an exemption. You can use the Policy Assignment [Module](../policyAssignments/deploy.bicep) to deploy a Policy Assignment and then create the exemption for it on the required scope. + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Policy Exemption](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policyexemptions) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep index 81ba50f46f..09346766c0 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep @@ -2,9 +2,11 @@ targetScope = 'managementGroup' param policySetDefinitionName string param policySetDefinitionProperties object param managementGroupId string +param location string = deployment().location resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { name: policySetDefinitionName + location: location properties: policySetDefinitionProperties } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep index eb3e4b2e5e..4f06d7b38c 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep @@ -2,9 +2,11 @@ targetScope = 'subscription' param policySetDefinitionName string param policySetDefinitionProperties object param subscriptionId string = subscription().id +param location string = deployment().location resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { name: policySetDefinitionName + location: location properties: policySetDefinitionProperties } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index ceac3a4e3f..f3a803fcdb 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -1,13 +1,13 @@ targetScope = 'managementGroup' -@description('Required. Specifies the name of the policy assignment.') +@description('Required. Specifies the name of the policy Set Definition (Initiative). Space characters will be replaced by (-) and converted to lowercase') @maxLength(64) param policySetDefinitionName string -@description('Optional. The display name of the policy assignment. If not provided, will be replaced with the Policy Assignment Name') +@description('Optional. The display name of the Set Definition (Initiative)') param displayName string = '' -@description('Optional. This message will be part of response in case of policy violation. If not provided, will be replaced with the Policy Assignment Name') +@description('Optional. The Description name of the Set Definition (Initiative)') param policySetDescription string = '' @description('Optional. The ID of the Management Group (Scope). Cannot be used with subscriptionId and does not support tenant level deployment (i.e. \'/\')') @@ -16,18 +16,21 @@ param managementGroupId string = '' @description('Optional. The ID of the Azure Subscription (Scope). Cannot be used with managementGroupId') param subscriptionId string = '' -@description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key value pairs.') +@description('Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key value pairs.') param metadata object = {} -@description('Required. The array of Policy definitions object to include for this policy set. Each object must include the definition ID, parameters, ') +@description('Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters') param policyDefinitions array -@description('Optional. The metadata describing groups of policy definition references within the policy set definition.') +@description('Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative).') param policyDefinitionGroups array = [] -@description('Optional. The policy set definition parameters that can be used in policy definition references.') +@description('Optional. The Set Definition (Initiative) parameters that can be used in policy definition references.') param parameters object = {} +@description('Optional. Location for all resources.') +param location string = deployment().location + var policySetDefinitionName_var = replace(policySetDefinitionName, ' ', '-') var policySetDefinitionProperties_var = { policyType: 'Custom' @@ -46,6 +49,7 @@ module policySetDefinition_mg './.bicep/nested_policySetDefinition_mg.bicep' = i policySetDefinitionName: policySetDefinitionName_var policySetDefinitionProperties: policySetDefinitionProperties_var managementGroupId: managementGroupId + location: location } } @@ -56,6 +60,7 @@ module policySetDefinition_sub './.bicep/nested_policySetDefinition_sub.bicep' = policySetDefinitionName: policySetDefinitionName_var policySetDefinitionProperties: policySetDefinitionProperties_var subscriptionId: subscriptionId + location: location } } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json index 7e5e0552f0..09587c43d0 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json @@ -60,7 +60,7 @@ } }, "subscriptionId": { - "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } } } diff --git a/arm/Microsoft.Authorization/policySetDefinitions/readme.md b/arm/Microsoft.Authorization/policySetDefinitions/readme.md new file mode 100644 index 0000000000..e01b0f125e --- /dev/null +++ b/arm/Microsoft.Authorization/policySetDefinitions/readme.md @@ -0,0 +1,61 @@ +# policySetDefinition + +## Resource types + +|Resource Type|ApiVersion| +|:--|:--| +|`Microsoft.Resources/deployments`|2019-10-01| +|`Microsoft.Authorization/policySetDefinitions`|2020-09-01| + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `policySetDefinitionName` | string | Required. Required. Specifies the name of the policy Set Definition (Initiative). Space characters will be replaced by (-) and converted to lowercase | | | +| `displayName` | string | Optional. Optional. The display name of the Set Definition (Initiative) | | | +| `policySetDescription` | string | Optional. The description name of the Set Definition (Initiative) | | | +| `metadata` | object | Optional. Optional. The Set Definition (Initiative) metadata. Metadata is an open ended object and is typically a collection of key value pairs. | | | +| `policyDefinitions` | array | Required. The array of Policy definitions object to include for this policy set. Each object must include the Policy definition ID, and optionally other properties like parameters | | | +| `policyDefinitionGroups` | string | Optional. The metadata describing groups of policy definition references within the Policy Set Definition (Initiative). | | | +| `parameters` | object | Optional. The Set Definition (Initiative) parameters that can be used in policy definition references.| | | +| `subscriptionId` | string | Optional. The ID of the azure subscription where the initiative is being deployed at. Cannot use with management group id parameter. | | +| `managementGroupId` | string | Optional. The ID of the management group where the initiative is being deployed at. Cannot use with subscription id parameter. | | +| `location` | string | Optional. Location for all resources. | | | + +### Parameter Usage: `managementGroupId` + +To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module. + +```json +"managementGroupId": { + "value": "contoso-group" +} +``` + +> The name of the Management Group in the deployment does not have to match the value of the `managementGroupId` in the input parameters. + +### Parameter Usage: `subscriptionId` + +To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**: + +```json +"subscriptionId": { + "value": "12345678-b049-471c-95af-123456789012" +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `policySetDefinitionId` | string | The ID of the Policy Set Definitions (Initiatives) | +| `policySetDefinitionName` | string | Name of the Policy Set Definitions (Initiatives) | + +## Considerations + +- Policy Set Definitions (Initiatives) have a dependency on Policy Assignments being applied before creating an initiative. You can use the Policy Assignment [Module](../policyDefinitions/deploy.bicep) to deploy a Policy Definition and then create an initiative for it on the required scope. + +## Additional resources + +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2018-02-01/deployments) +- [Policy Set Definitions (Initiatives)](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/policysetdefinitions?tabs=bicep) From 9ba64cbcbd353926f2a89f267f989aa5b9ba248e Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Fri, 8 Oct 2021 14:14:27 +1100 Subject: [PATCH 28/36] Users/ahmadabdalla/ms auth comments (#3) * updated policy definitions module --- .../ms.authorization.policyassignments.yml | 4 +- .../ms.authorization.policydefinitions.yml | 4 +- .../ms.authorization.policyexemptions.yml | 4 +- .../ms.authorization.policysetdefinitions.yml | 4 +- .../ms.authorization.roleassignments.yml | 4 +- .../ms.authorization.roledefinitions.yml | 4 +- .../workflows/ms.network.azurefirewalls.yml | 8 +- .github/workflows/ms.network.bastionhosts.yml | 8 +- .../ms.network.expressroutecircuits.yml | 8 +- .../workflows/ms.network.loadbalancers.yml | 8 +- .../ms.network.localnetworkgateways.yml | 8 +- .../workflows/ms.network.privatednszones.yml | 8 +- .github/workflows/ms.network.routetables.yml | 8 +- README.md | 2 +- .../.bicep/nested_policyAssignments_mg.bicep | 48 +- .../.bicep/nested_policyAssignments_rg.bicep | 47 +- .../.bicep/nested_policyAssignments_sub.bicep | 45 +- .../policyAssignments/deploy.bicep | 65 +- .../.bicep/nested_policyDefinitions_mg.bicep | 26 +- .../.bicep/nested_policyDefinitions_sub.bicep | 28 +- .../policyDefinitions/deploy.bicep | 25 +- .../parameters/parameters.json | 100 +- .../.bicep/nested_policyExemptions_mg.bicep | 23 +- .../.bicep/nested_policyExemptions_rg.bicep | 23 +- .../.bicep/nested_policyExemptions_sub.bicep | 25 +- .../policyExemptions/deploy.bicep | 36 +- .../parameters/parameters.json | 3 - .../nested_policySetDefinition_mg.bicep | 26 +- .../nested_policySetDefinition_sub.bicep | 26 +- .../policySetDefinitions/deploy.bicep | 25 +- .../parameters/parameters.json | 119 +- .../.bicep/nested_rbac_mg.bicep | 196 +++ .../.bicep/nested_rbac_rg.bicep | 196 +++ .../.bicep/nested_rbac_sub.bicep | 196 +++ .../.bicep/nested_roleAssignments_mg.bicep | 17 - .../.bicep/nested_roleAssignments_rg.bicep | 18 - .../.bicep/nested_roleAssignments_sub.bicep | 17 - .../roleAssignments/deploy.bicep | 197 +-- .../roleAssignments/readme.md | 1 + .../.bicep/nested_roleDefinitions_mg.bicep | 1 + .../.bicep/nested_roleDefinitions_rg.bicep | 3 +- .../.bicep/nested_roleDefinitions_sub.bicep | 3 +- .../roleDefinitions/deploy.bicep | 1 + .../parameters/parameters.json | 11 +- .../roleDefinitions/readme.md | 1 + .../.bicep/nested_rbac.bicep | 11 +- .../automationAccounts/deploy.bicep | 43 +- .../automationAccounts/readme.md | 4 +- .../galleries/.bicep/nested_rbac.bicep | 12 +- arm/Microsoft.Compute/galleries/deploy.bicep | 11 +- .../.bicep/nested_rbac.bicep | 12 +- .../virtualMachineScaleSets/deploy.bicep | 20 +- .../virtualMachineScaleSets/readme.md | 4 +- .../applications/deploy.bicep | 2 +- .../applications/deploy.json | 2 +- .../applications/readme.md | 4 +- .../.bicep/nested_rbac.bicep | 11 +- .../applicationgroups/deploy.bicep | 55 +- .../applicationgroups/deploy.json | 2 +- .../applicationgroups/readme.md | 11 +- .../hostpools/.bicep/nested_rbac.bicep | 11 +- .../hostpools/deploy.bicep | 11 +- .../hostpools/deploy.json | 2 +- .../hostpools/readme.md | 5 +- .../workspaces/.bicep/nested_rbac.bicep | 11 +- .../workspaces/deploy.bicep | 49 +- .../workspaces/deploy.json | 2 +- .../workspaces/readme.md | 8 +- .../actionGroups/.bicep/nested_rbac.bicep | 8 +- .../actionGroups/deploy.bicep | 5 +- .../.bicep/nested_rbac.bicep | 8 +- .../activityLogAlerts/deploy.bicep | 11 +- .../components/.bicep/nested_rbac.bicep | 8 +- .../components/deploy.bicep | 5 +- .../metricAlerts/.bicep/nested_rbac.bicep | 8 +- .../metricAlerts/deploy.bicep | 11 +- .../vaults/.bicep/nested_rbac.bicep | 12 +- arm/Microsoft.KeyVault/vaults/deploy.bicep | 13 +- .../workflows/.bicep/nested_rbac.bicep | 11 +- arm/Microsoft.Logic/workflows/deploy.bicep | 13 +- arm/Microsoft.Logic/workflows/readme.md | 2 +- .../.bicep/nested_rbac.bicep | 1 - .../applicationGateways/deploy.json | 885 ------------- .../applicationGateways/readme.md | Bin 45106 -> 45076 bytes .../applicationSecurityGroups/deploy.bicep | 3 - .../applicationSecurityGroups/deploy.json | 354 ----- .../applicationSecurityGroups/readme.md | 2 +- .../azureFirewalls/.bicep/nested_cuaId.bicep | 0 .../azureFirewalls/.bicep/nested_rbac.bicep | 12 + .../azureFirewalls/deploy.bicep | 281 ++++ .../azureFirewalls/deploy.json | 664 ---------- .../azureFirewalls/readme.md | 5 +- .../bastionHosts/.bicep/nested_cuaId.bicep | 0 .../bastionHosts/.bicep/nested_rbac.bicep | 12 + .../bastionHosts/deploy.bicep | 213 +++ .../bastionHosts/deploy.json | 550 -------- arm/Microsoft.Network/bastionHosts/readme.md | 5 +- .../.bicep/nested_cuaId.bicep | 0 .../.bicep/nested_rbac.bicep | 11 + .../expressRouteCircuits/deploy.bicep | 197 +++ .../expressRouteCircuits/deploy.json | 558 -------- .../expressRouteCircuits/readme.md | 4 +- .../loadBalancers/.bicep/nested_cuaId.bicep | 0 .../loadBalancers/.bicep/nested_rbac.bicep | 11 + .../loadBalancers/deploy.bicep | 198 +++ .../loadBalancers/deploy.json | 543 -------- .../loadBalancers/parameters/parameters.json | 31 - arm/Microsoft.Network/loadBalancers/readme.md | 4 +- .../.bicep/nested_cuaId.bicep | 0 .../.bicep/nested_rbac.bicep | 11 + .../localNetworkGateways/deploy.bicep | 100 ++ .../localNetworkGateways/deploy.json | 188 +-- .../privateDnsZones/.bicep/nested_cuaId.bicep | 0 .../privateDnsZones/.bicep/nested_rbac.bicep | 11 + .../privateDnsZones/deploy.bicep | 83 ++ .../privateDnsZones/deploy.json | 201 --- .../parameters/parameters.json | 18 - .../privateDnsZones/readme.md | Bin 8604 -> 4339 bytes .../routeTables/.bicep/nested_cuaId.bicep | 0 .../routeTables/.bicep/nested_rbac.bicep | 11 + .../routeTables/deploy.bicep | 78 ++ arm/Microsoft.Network/routeTables/deploy.json | 189 +-- .../routeTables/parameters/parameters.json | 11 - .../.bicep/nested_rbac.bicep | 11 +- .../virtualNetworkGateways/deploy.bicep | 48 +- .../virtualNetworks/.bicep/nested_rbac.bicep | 11 +- .../virtualNetworks/deploy.bicep | 9 +- .../virtualWans/.bicep/nested_rbac.bicep | 11 +- .../virtualWans/deploy.bicep | 41 +- .../workspaces/.bicep/nested_rbac.bicep | 11 +- .../workspaces/deploy.bicep | 1169 ++++++++--------- .../vaults/.bicep/nested_rbac.bicep | 11 +- .../vaults/deploy.bicep | 13 +- .../resourceGroups/.bicep/nested_rbac.bicep | 8 +- .../resourceGroups/deploy.bicep | 5 +- .../namespaces/.bicep/nested_rbac.bicep | 11 +- .../namespaces/deploy.bicep | 13 +- .../servers/.bicep/nested_rbac.bicep | 11 +- arm/Microsoft.Sql/servers/deploy.bicep | 47 +- .../.bicep/nested_container.bicep | 10 +- .../.bicep/nested_container_rbac.bicep | 11 +- .../.bicep/nested_fileShare.bicep | 20 +- .../.bicep/nested_fileShare_rbac.bicep | 11 +- .../storageAccounts/.bicep/nested_queue.bicep | 20 +- .../.bicep/nested_queue_rbac.bicep | 11 +- .../storageAccounts/.bicep/nested_rbac.bicep | 11 +- .../storageAccounts/deploy.bicep | 13 +- .../storageAccounts/readme.md | 2 +- arm/Microsoft.Subscription/aliases/readme.md | 56 +- .../connections/.bicep/nested_rbac.bicep | 11 +- arm/Microsoft.Web/connections/deploy.bicep | 43 +- arm/Microsoft.Web/connections/readme.md | 2 +- .../.bicep/nested_rbac.bicep | 11 +- .../hostingEnvironments/deploy.bicep | 39 +- .../hostingEnvironments/readme.md | 6 +- .../serverfarms/.bicep/nested_rbac.bicep | 11 +- arm/Microsoft.Web/serverfarms/deploy.bicep | 13 +- .../sites/.bicep/nested_rbac.bicep | 11 +- arm/Microsoft.Web/sites/deploy.bicep | 13 +- arm/README.md | 2 +- 160 files changed, 3395 insertions(+), 5855 deletions(-) create mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep create mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep create mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep delete mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep delete mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep delete mode 100644 arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep delete mode 100644 arm/Microsoft.Network/applicationGateways/deploy.json delete mode 100644 arm/Microsoft.Network/applicationSecurityGroups/deploy.json create mode 100644 arm/Microsoft.Network/azureFirewalls/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/azureFirewalls/deploy.bicep delete mode 100644 arm/Microsoft.Network/azureFirewalls/deploy.json create mode 100644 arm/Microsoft.Network/bastionHosts/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/bastionHosts/deploy.bicep delete mode 100644 arm/Microsoft.Network/bastionHosts/deploy.json create mode 100644 arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/expressRouteCircuits/deploy.bicep delete mode 100644 arm/Microsoft.Network/expressRouteCircuits/deploy.json create mode 100644 arm/Microsoft.Network/loadBalancers/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/loadBalancers/deploy.bicep delete mode 100644 arm/Microsoft.Network/loadBalancers/deploy.json create mode 100644 arm/Microsoft.Network/localNetworkGateways/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/localNetworkGateways/deploy.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/privateDnsZones/deploy.bicep delete mode 100644 arm/Microsoft.Network/privateDnsZones/deploy.json create mode 100644 arm/Microsoft.Network/routeTables/.bicep/nested_cuaId.bicep create mode 100644 arm/Microsoft.Network/routeTables/.bicep/nested_rbac.bicep create mode 100644 arm/Microsoft.Network/routeTables/deploy.bicep diff --git a/.github/workflows/ms.authorization.policyassignments.yml b/.github/workflows/ms.authorization.policyassignments.yml index b979d584b5..cae12a8830 100644 --- a/.github/workflows/ms.authorization.policyassignments.yml +++ b/.github/workflows/ms.authorization.policyassignments.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyAssignments_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyAssignments_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.authorization.policydefinitions.yml b/.github/workflows/ms.authorization.policydefinitions.yml index 16f890861d..257fa055b4 100644 --- a/.github/workflows/ms.authorization.policydefinitions.yml +++ b/.github/workflows/ms.authorization.policydefinitions.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyDefinitions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyDefinitions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.authorization.policyexemptions.yml b/.github/workflows/ms.authorization.policyexemptions.yml index 37a4ba897c..4fb115d723 100644 --- a/.github/workflows/ms.authorization.policyexemptions.yml +++ b/.github/workflows/ms.authorization.policyexemptions.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyExemptions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policyExemptions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.authorization.policysetdefinitions.yml b/.github/workflows/ms.authorization.policysetdefinitions.yml index e881a98ac9..25310b912e 100644 --- a/.github/workflows/ms.authorization.policysetdefinitions.yml +++ b/.github/workflows/ms.authorization.policysetdefinitions.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policySetDefinition_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_policySetDefinition_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.authorization.roleassignments.yml b/.github/workflows/ms.authorization.roleassignments.yml index 1f2109ac00..6e38867226 100644 --- a/.github/workflows/ms.authorization.roleassignments.yml +++ b/.github/workflows/ms.authorization.roleassignments.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_rbac_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_rbac_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.authorization.roledefinitions.yml b/.github/workflows/ms.authorization.roledefinitions.yml index b19a82f90c..84cd51c497 100644 --- a/.github/workflows/ms.authorization.roledefinitions.yml +++ b/.github/workflows/ms.authorization.roledefinitions.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_roleDefinitions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.bicep' + templateFilePath: '${{ env.modulePath }}/.bicep/nested_roleDefinitions_sub.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' diff --git a/.github/workflows/ms.network.azurefirewalls.yml b/.github/workflows/ms.network.azurefirewalls.yml index d452ea540c..c30211de8f 100644 --- a/.github/workflows/ms.network.azurefirewalls.yml +++ b/.github/workflows/ms.network.azurefirewalls.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.network.bastionhosts.yml b/.github/workflows/ms.network.bastionhosts.yml index 844f85aa2f..8428fbbf05 100644 --- a/.github/workflows/ms.network.bastionhosts.yml +++ b/.github/workflows/ms.network.bastionhosts.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.network.expressroutecircuits.yml b/.github/workflows/ms.network.expressroutecircuits.yml index ba77d46700..65491abaf5 100644 --- a/.github/workflows/ms.network.expressroutecircuits.yml +++ b/.github/workflows/ms.network.expressroutecircuits.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.network.loadbalancers.yml b/.github/workflows/ms.network.loadbalancers.yml index 0ff8cfbd1d..4b34f24078 100644 --- a/.github/workflows/ms.network.loadbalancers.yml +++ b/.github/workflows/ms.network.loadbalancers.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.network.localnetworkgateways.yml b/.github/workflows/ms.network.localnetworkgateways.yml index 79da5382c8..a34d7e4c32 100644 --- a/.github/workflows/ms.network.localnetworkgateways.yml +++ b/.github/workflows/ms.network.localnetworkgateways.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.network.privatednszones.yml b/.github/workflows/ms.network.privatednszones.yml index 2f592ec5f8..8f8919b04a 100644 --- a/.github/workflows/ms.network.privatednszones.yml +++ b/.github/workflows/ms.network.privatednszones.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/.github/workflows/ms.network.routetables.yml b/.github/workflows/ms.network.routetables.yml index 9447099c68..7d13f128ef 100644 --- a/.github/workflows/ms.network.routetables.yml +++ b/.github/workflows/ms.network.routetables.yml @@ -81,7 +81,7 @@ jobs: - name: "Test module" uses: ./.github/actions/templates/validateModuleDeploy with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -116,7 +116,7 @@ jobs: uses: ./.github/actions/templates/deployModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' parameterFilePath: '${{ env.modulePath }}/parameters/${{ matrix.parameterFilePaths }}' location: '${{ env.defaultLocation }}' resourceGroupName: '${{ env.resourceGroupName }}' @@ -146,7 +146,7 @@ jobs: - name: "Publish module" uses: ./.github/actions/templates/publishModule with: - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' componentTemplateSpecRGName: '${{ env.componentTemplateSpecRGName }}' componentTemplateSpecRGLocation: '${{ env.componentTemplateSpecRGLocation }}' componentTemplateSpecName: '${{ env.moduleName }}' @@ -178,5 +178,5 @@ jobs: uses: ./.github/actions/templates/removeModule with: moduleName: '${{ env.moduleName }}' - templateFilePath: '${{ env.modulePath }}/deploy.json' + templateFilePath: '${{ env.modulePath }}/deploy.bicep' resourceGroupName: '${{ env.resourceGroupName }}' \ No newline at end of file diff --git a/README.md b/README.md index f8bacba9b5..6d990418ee 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ This repository includes a collection of advanced and curated Modules consisting | [NetworkSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkSecurityGroups) | | [![Network: Networksecuritygroups](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networksecuritygroups.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [NSG Flow Logs](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkWatcherFlowLogs) | | [![Network: Networkwatcherflowlogs](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatcherflowlogs.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.networkwatcherflowlogs.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [PolicyAssignment](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Authorization/policyAssignments) | | [![Authorization: Policyassignments](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.authorization.policyassignments.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | -| [PrivateDnsZones](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateDnsZones) | | [![Network: Privatednszones](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | +| [PrivateDnsZones](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateDnsZones) | :heavy_check_mark: | [![Network: Privatednszones](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privatednszones.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [PrivateEndpoints](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateEndpoints) | :heavy_check_mark: | [![Network: Privateendpoints](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.privateendpoints.yml) | | | [Public IP Addresses](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/publicIPAddresses) | :heavy_check_mark: | [![Network: Publicipaddresses](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipaddresses.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | | [Public IP Prefixes](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/publicIPPrefixes) | :heavy_check_mark: | [![Network: Publicipprefixes](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml/badge.svg)](https://github.com/Azure/ResourceModules/actions/workflows/ms.network.publicipprefixes.yml) | [![Deploy to Azure](/docs/media/deploytoazure.svg?sanitize=true)]() | diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep index 261a89610c..113c59bc85 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_mg.bicep @@ -1,27 +1,51 @@ targetScope = 'managementGroup' + param policyAssignmentName string -param policyAssignmentProperties object -param managementGroupId string -param policyAssignmentIdentity object = { - type: 'systemAssigned' -} -param location string = deployment().location +param policyDefinitionID string +param parameters object = {} +param identity string = 'SystemAssigned' param roleDefinitionIds array = [] +param policyAssignmentDescription string = '' +param displayName string = '' +param metadata object = {} +param nonComplianceMessage string = '' +param enforcementMode string = 'Default' +param notScopes array = [] +param managementGroupId string = '' +param location string = deployment().location + +var policyAssignmentName_var = replace(policyAssignmentName, ' ', '-') +var nonComplianceMessage_var = { + message: (empty(nonComplianceMessage) ? 'null' : nonComplianceMessage) +} +var policyAssignmentIdentity_var = { + type: identity +} resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { - name: policyAssignmentName + name: policyAssignmentName_var location: location - properties: policyAssignmentProperties - identity: policyAssignmentIdentity + properties: { + displayName: (empty(displayName) ? json('null') : displayName) + metadata: (empty(metadata) ? json('null') : metadata) + description: (empty(policyAssignmentDescription) ? json('null') : policyAssignmentDescription) + policyDefinitionId: policyDefinitionID + parameters: parameters + nonComplianceMessages: (empty(nonComplianceMessage) ? [] : array(nonComplianceMessage_var)) + enforcementMode: enforcementMode + notScopes: (empty(notScopes) ? [] : notScopes) + } + identity: policyAssignmentIdentity_var } -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && !empty(policyAssignmentIdentity)) { - name: guid(managementGroupId, roleDefinitionId, location, policyAssignmentName) +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity != 'None') { + name: guid(managementGroupId, roleDefinitionId, location, policyAssignmentName_var) properties: { roleDefinitionId: roleDefinitionId principalId: policyAssignment.identity.principalId } }] +output policyAssignmentName string = policyAssignment.name output policyAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyAssignments', policyAssignment.name) -output policyAssignmentPrincipalId string = (policyAssignmentIdentity.type == 'SystemAssigned') ? policyAssignment.identity.principalId : '' +output policyAssignmentPrincipalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep index 925314dc6e..41b5b0336b 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_rg.bicep @@ -1,22 +1,44 @@ targetScope = 'resourceGroup' param policyAssignmentName string -param policyAssignmentProperties object -param resourceGroupName string -param policyAssignmentIdentity object = { - type: 'systemAssigned' -} -param location string = resourceGroup().location -param subscriptionId string +param policyDefinitionID string +param parameters object = {} +param identity string = 'SystemAssigned' param roleDefinitionIds array = [] +param policyAssignmentDescription string = '' +param displayName string = '' +param metadata object = {} +param nonComplianceMessage string = '' +param enforcementMode string = 'Default' +param notScopes array = [] +param resourceGroupName string = resourceGroup().name +param subscriptionId string = subscription().subscriptionId +param location string = resourceGroup().location + +var policyAssignmentName_var = replace(policyAssignmentName, ' ', '-') +var nonComplianceMessage_var = { + message: (empty(nonComplianceMessage) ? 'null' : nonComplianceMessage) +} +var policyAssignmentIdentity_var = { + type: identity +} resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { - name: policyAssignmentName + name: policyAssignmentName_var location: location - properties: policyAssignmentProperties - identity: policyAssignmentIdentity + properties: { + displayName: (empty(displayName) ? json('null') : displayName) + metadata: (empty(metadata) ? json('null') : metadata) + description: (empty(policyAssignmentDescription) ? json('null') : policyAssignmentDescription) + policyDefinitionId: policyDefinitionID + parameters: parameters + nonComplianceMessages: (empty(nonComplianceMessage) ? [] : array(nonComplianceMessage_var)) + enforcementMode: enforcementMode + notScopes: (empty(notScopes) ? [] : notScopes) + } + identity: policyAssignmentIdentity_var } -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && !empty(policyAssignmentIdentity)) { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity != 'None') { name: guid(subscriptionId, resourceGroupName, roleDefinitionId, location, policyAssignmentName) properties: { roleDefinitionId: roleDefinitionId @@ -24,5 +46,6 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } }] +output policyAssignmentName string = policyAssignment.name output policyAssignmentId string = resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name) -output policyAssignmentPrincipalId string = (policyAssignmentIdentity.type == 'SystemAssigned') ? policyAssignment.identity.principalId : '' +output policyAssignmentPrincipalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' diff --git a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep index 1feb96c33b..767f8f6898 100644 --- a/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/.bicep/nested_policyAssignments_sub.bicep @@ -1,21 +1,43 @@ targetScope = 'subscription' param policyAssignmentName string -param policyAssignmentProperties object -param subscriptionId string -param policyAssignmentIdentity object = { - type: 'systemAssigned' -} -param location string = deployment().location +param policyDefinitionID string +param parameters object = {} +param identity string = 'SystemAssigned' param roleDefinitionIds array = [] +param policyAssignmentDescription string = '' +param displayName string = '' +param metadata object = {} +param nonComplianceMessage string = '' +param enforcementMode string = 'Default' +param notScopes array = [] +param subscriptionId string = subscription().subscriptionId +param location string = deployment().location + +var policyAssignmentName_var = replace(policyAssignmentName, ' ', '-') +var nonComplianceMessage_var = { + message: (empty(nonComplianceMessage) ? 'null' : nonComplianceMessage) +} +var policyAssignmentIdentity_var = { + type: identity +} resource policyAssignment 'Microsoft.Authorization/policyAssignments@2020-09-01' = { - name: policyAssignmentName + name: policyAssignmentName_var location: location - properties: policyAssignmentProperties - identity: policyAssignmentIdentity + properties: { + displayName: (empty(displayName) ? json('null') : displayName) + metadata: (empty(metadata) ? json('null') : metadata) + description: (empty(policyAssignmentDescription) ? json('null') : policyAssignmentDescription) + policyDefinitionId: policyDefinitionID + parameters: parameters + nonComplianceMessages: (empty(nonComplianceMessage) ? [] : array(nonComplianceMessage_var)) + enforcementMode: enforcementMode + notScopes: (empty(notScopes) ? [] : notScopes) + } + identity: policyAssignmentIdentity_var } -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && !empty(policyAssignmentIdentity)) { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity != 'None') { name: guid(subscriptionId, roleDefinitionId, location, policyAssignmentName) properties: { roleDefinitionId: roleDefinitionId @@ -23,5 +45,6 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } }] +output policyAssignmentName string = policyAssignment.name output policyAssignmentId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policySetDefinitions', policyAssignment.name) -output policyAssignmentPrincipalId string = (policyAssignmentIdentity.type == 'SystemAssigned') ? policyAssignment.identity.principalId : '' +output policyAssignmentPrincipalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : '' diff --git a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep index e4ce1aba98..6959c21da3 100644 --- a/arm/Microsoft.Authorization/policyAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/policyAssignments/deploy.bicep @@ -54,36 +54,25 @@ param notScopes array = [] @description('Optional. Location for all resources.') param location string = deployment().location -var nonComplianceMessage_var = { - message: (empty(nonComplianceMessage) ? 'null' : nonComplianceMessage) -} - var policyAssignmentName_var = replace(policyAssignmentName, ' ', '-') -var policyAssignmentProperties_var = { - displayName: (empty(displayName) ? json('null') : displayName) - metadata: (empty(metadata) ? json('null') : metadata) - description: (empty(policyAssignmentDescription) ? json('null') : policyAssignmentDescription) - policyDefinitionId: policyDefinitionID - parameters: parameters - nonComplianceMessages: (empty(nonComplianceMessage) ? [] : array(nonComplianceMessage_var)) - enforcementMode: enforcementMode - notScopes: (empty(notScopes) ? [] : notScopes) -} - -var policyAssignmentIdentity_var = { - type: identity -} module policyAssignment_mg '.bicep/nested_policyAssignments_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${policyAssignmentName_var}-policyAssignment_mg' scope: managementGroup(managementGroupId) params: { policyAssignmentName: policyAssignmentName_var - location: location - policyAssignmentProperties: policyAssignmentProperties_var - policyAssignmentIdentity: policyAssignmentIdentity_var - managementGroupId: managementGroupId + policyDefinitionID: policyDefinitionID + displayName: displayName + policyAssignmentDescription: policyAssignmentDescription + parameters: parameters + identity: identity roleDefinitionIds: roleDefinitionIds + metadata: metadata + nonComplianceMessage: nonComplianceMessage + enforcementMode: enforcementMode + notScopes: notScopes + managementGroupId: managementGroupId + location: location } } @@ -92,11 +81,18 @@ module policyAssignment_sub '.bicep/nested_policyAssignments_sub.bicep' = if (em scope: subscription(subscriptionId) params: { policyAssignmentName: policyAssignmentName_var - location: location - policyAssignmentProperties: policyAssignmentProperties_var - policyAssignmentIdentity: policyAssignmentIdentity_var - subscriptionId: subscriptionId + policyDefinitionID: policyDefinitionID + displayName: displayName + policyAssignmentDescription: policyAssignmentDescription + parameters: parameters + identity: identity roleDefinitionIds: roleDefinitionIds + metadata: metadata + nonComplianceMessage: nonComplianceMessage + enforcementMode: enforcementMode + notScopes: notScopes + subscriptionId: subscriptionId + location: location } } @@ -105,15 +101,22 @@ module policyAssignment_rg '.bicep/nested_policyAssignments_rg.bicep' = if (empt scope: resourceGroup(subscriptionId, resourceGroupName) params: { policyAssignmentName: policyAssignmentName_var - location: location - policyAssignmentProperties: policyAssignmentProperties_var - policyAssignmentIdentity: policyAssignmentIdentity_var + policyDefinitionID: policyDefinitionID + displayName: displayName + policyAssignmentDescription: policyAssignmentDescription + parameters: parameters + identity: identity + roleDefinitionIds: roleDefinitionIds + metadata: metadata + nonComplianceMessage: nonComplianceMessage + enforcementMode: enforcementMode + notScopes: notScopes resourceGroupName: resourceGroupName subscriptionId: subscriptionId - roleDefinitionIds: roleDefinitionIds + location: location } } -output policyAssignmentName string = policyAssignmentName +output policyAssignmentName string = !empty(managementGroupId) ? policyAssignment_mg.outputs.policyAssignmentName : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.policyAssignmentName : policyAssignment_sub.outputs.policyAssignmentName) output policyAssignmentPrincipalId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.policyAssignmentPrincipalId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.policyAssignmentPrincipalId : policyAssignment_sub.outputs.policyAssignmentPrincipalId) output policyAssignmentId string = !empty(managementGroupId) ? policyAssignment_mg.outputs.policyAssignmentId : (!empty(resourceGroupName) ? policyAssignment_rg.outputs.policyAssignmentId : policyAssignment_sub.outputs.policyAssignmentId) diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep index 250c373301..a2ae2085bf 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_mg.bicep @@ -1,14 +1,30 @@ targetScope = 'managementGroup' param policyDefinitionName string -param policyDefinitionProperties object +param displayName string = '' +param policyDescription string = '' +param mode string = 'All' +param metadata object = {} +param parameters object = {} +param policyRule object param managementGroupId string param location string = deployment().location +var policyDefinitionName_var = toLower(replace(policyDefinitionName, ' ', '-')) + resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = { - name: policyDefinitionName + name: policyDefinitionName_var location: location - properties: policyDefinitionProperties + properties: { + policyType: 'Custom' + mode: mode + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyDescription) ? json('null') : policyDescription) + metadata: (empty(metadata) ? json('null') : metadata) + parameters: (empty(parameters) ? json('null') : parameters) + policyRule: policyRule + } } -output policyDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policyDefinitions',policyDefinition.name) -output roleDefinitionIds array = (contains(policyDefinitionProperties.policyRule.then, 'details') ? ((contains(policyDefinitionProperties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [])) : []) +output policyDefinitionName string = policyDefinition.name +output policyDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyDefinitions', policyDefinition.name) +output roleDefinitionIds array = (contains(policyDefinition.properties.policyRule.then, 'details') ? ((contains(policyDefinition.properties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinition.properties.policyRule.then.details.roleDefinitionIds : [])) : []) diff --git a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep index 33a10efdce..f1f2e7f136 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/.bicep/nested_policyDefinitions_sub.bicep @@ -1,14 +1,30 @@ targetScope = 'subscription' param policyDefinitionName string -param policyDefinitionProperties object -param subscriptionId string = subscription().id +param displayName string = '' +param policyDescription string = '' +param mode string = 'All' +param metadata object = {} +param parameters object = {} +param policyRule object +param subscriptionId string = '' param location string = deployment().location +var policyDefinitionName_var = toLower(replace(policyDefinitionName, ' ', '-')) + resource policyDefinition 'Microsoft.Authorization/policyDefinitions@2020-09-01' = { - name: policyDefinitionName + name: policyDefinitionName_var location: location - properties: policyDefinitionProperties + properties: { + policyType: 'Custom' + mode: mode + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyDescription) ? json('null') : policyDescription) + metadata: (empty(metadata) ? json('null') : metadata) + parameters: (empty(parameters) ? json('null') : parameters) + policyRule: policyRule + } } -output policyDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policyDefinitions',policyDefinition.name) -output roleDefinitionIds array = (contains(policyDefinitionProperties.policyRule.then, 'details') ? ((contains(policyDefinitionProperties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinitionProperties.policyRule.then.details.roleDefinitionIds : [])) : []) +output policyDefinitionName string = policyDefinition.name +output policyDefinitionId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyDefinitions', policyDefinition.name) +output roleDefinitionIds array = (contains(policyDefinition.properties.policyRule.then, 'details') ? ((contains(policyDefinition.properties.policyRule.then.details, 'roleDefinitionIds') ? policyDefinition.properties.policyRule.then.details.roleDefinitionIds : [])) : []) diff --git a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep index 149326f922..8062fea232 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyDefinitions/deploy.bicep @@ -39,15 +39,6 @@ param subscriptionId string = '' param location string = deployment().location var policyDefinitionName_var = toLower(replace(policyDefinitionName, ' ', '-')) -var policyDefinitionProperties_var = { - policyType: 'Custom' - mode: mode - displayName: (empty(displayName) ? json('null') : displayName) - description: (empty(policyDescription) ? json('null') : policyDescription) - metadata: (empty(metadata) ? json('null') : metadata) - parameters: (empty(parameters) ? json('null') : parameters) - policyRule: policyRule -} module policyDefinition_mg './.bicep/nested_policyDefinitions_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${policyDefinitionName_var}-mgDeployment' @@ -55,8 +46,13 @@ module policyDefinition_mg './.bicep/nested_policyDefinitions_mg.bicep' = if (em params: { policyDefinitionName: policyDefinitionName_var location: location - policyDefinitionProperties: policyDefinitionProperties_var managementGroupId: managementGroupId + mode: mode + displayName: (empty(displayName) ? '' : displayName) + policyDescription: (empty(policyDescription) ? '' : policyDescription) + metadata: (empty(metadata) ? {} : metadata) + parameters: (empty(parameters) ? {} : parameters) + policyRule: policyRule } } @@ -66,11 +62,16 @@ module policyDefinition_sub './.bicep/nested_policyDefinitions_sub.bicep' = if ( params: { policyDefinitionName: policyDefinitionName_var location: location - policyDefinitionProperties: policyDefinitionProperties_var subscriptionId: subscriptionId + mode: mode + displayName: (empty(displayName) ? '' : displayName) + policyDescription: (empty(policyDescription) ? '' : policyDescription) + metadata: (empty(metadata) ? {} : metadata) + parameters: (empty(parameters) ? {} : parameters) + policyRule: policyRule } } -output policyDefinitionName string = policyDefinitionName_var +output policyDefinitionName string = !empty(managementGroupId) ? policyDefinition_mg.outputs.policyDefinitionName : policyDefinition_sub.outputs.policyDefinitionName output policyDefinitionId string = !empty(managementGroupId) ? policyDefinition_mg.outputs.policyDefinitionId : policyDefinition_sub.outputs.policyDefinitionId output roleDefinitionIds array = !empty(managementGroupId) ? policyDefinition_mg.outputs.roleDefinitionIds : policyDefinition_sub.outputs.roleDefinitionIds diff --git a/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json index 89fc1c0994..382b663aea 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json @@ -1,56 +1,56 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyDefinitionName": { - "value": "test-deny-keyvault-public-access" - }, - "displayName": { - "value": "[Test] This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" - }, - "policyRule": { - "value": { - "if": { - "allOf": [ - { - "equals": "Microsoft.KeyVault/vaults", - "field": "type" - }, - { - "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", - "notequals": "Deny" - } - ] - }, - "then": { - "effect": "[parameters('effect')]" - } - } - }, - "parameters": { - "value": { - "effect": { - "allowedValues": [ - "Audit", - "Deny", - "Disabled" - ], - "defaultValue": "Deny", - "metadata": { - "description": "Enable or disable the execution of the policy", - "displayName": "Effect" + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyDefinitionName": { + "value": "test-deny-keyvault-public-access" + }, + "displayName": { + "value": "[Test] This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints" + }, + "policyRule": { + "value": { + "if": { + "allOf": [ + { + "equals": "Microsoft.KeyVault/vaults", + "field": "type" }, - "type": "String" - } + { + "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", + "notequals": "Deny" + } + ] + }, + "then": { + "effect": "[parameters('effect')]" } - }, - "metadata": { - "value": { - "category": "Security" + } + }, + "parameters": { + "value": { + "effect": { + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny", + "metadata": { + "description": "Enable or disable the execution of the policy", + "displayName": "Effect" + }, + "type": "String" } - }, - "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } + }, + "metadata": { + "value": { + "category": "Security" + } + }, + "subscriptionId": { + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } - } \ No newline at end of file + } +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep index f51cabd5a3..590803034c 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_mg.bicep @@ -1,15 +1,32 @@ targetScope = 'managementGroup' param policyExemptionName string -param policyExemptionProperties object +param displayName string = '' +param policyExemptionDescription string = '' +param metadata object = {} +param exemptionCategory string = 'Mitigated' +param policyAssignmentId string +param policyDefinitionReferenceIds array = [] +param expiresOn string = '' param managementGroupId string param location string = deployment().location +var policyExemptionName_var = toLower(replace(policyExemptionName, ' ', '-')) + resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { - name: policyExemptionName + name: policyExemptionName_var location: location - properties: policyExemptionProperties + properties: { + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyExemptionDescription) ? json('null') : policyExemptionDescription) + metadata: (empty(metadata) ? json('null') : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? json('null') : expiresOn) + } } +output policyExemptionName string = policyExemption.name output policyExemptionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policyExemptions',policyExemption.name) output policyExemptionScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep index 5e5c80d79a..fd34767c2c 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_rg.bicep @@ -1,16 +1,33 @@ targetScope = 'resourceGroup' param policyExemptionName string -param policyExemptionProperties object +param displayName string = '' +param policyExemptionDescription string = '' +param metadata object = {} +param exemptionCategory string = 'Mitigated' +param policyAssignmentId string +param policyDefinitionReferenceIds array = [] +param expiresOn string = '' param subscriptionId string = subscription().subscriptionId param resourceGroupName string = resourceGroup().name param location string = resourceGroup().location +var policyExemptionName_var = toLower(replace(policyExemptionName, ' ', '-')) + resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { - name: policyExemptionName + name: policyExemptionName_var location: location - properties: policyExemptionProperties + properties: { + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyExemptionDescription) ? json('null') : policyExemptionDescription) + metadata: (empty(metadata) ? json('null') : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? json('null') : expiresOn) + } } +output policyExemptionName string = policyExemption.name output policyExemptionId string = resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyExemptions', policyExemption.name) output policyExemptionScope string = resourceGroup().id diff --git a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep index fab81b6624..76243a42f6 100644 --- a/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/.bicep/nested_policyExemptions_sub.bicep @@ -1,15 +1,32 @@ targetScope = 'subscription' param policyExemptionName string -param policyExemptionProperties object -param subscriptionId string +param displayName string = '' +param policyExemptionDescription string = '' +param metadata object = {} +param exemptionCategory string = 'Mitigated' +param policyAssignmentId string +param policyDefinitionReferenceIds array = [] +param expiresOn string = '' +param subscriptionId string = subscription().subscriptionId param location string = deployment().location +var policyExemptionName_var = toLower(replace(policyExemptionName, ' ', '-')) + resource policyExemption 'Microsoft.Authorization/policyExemptions@2020-07-01-preview' = { - name: policyExemptionName + name: policyExemptionName_var location: location - properties: policyExemptionProperties + properties: { + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policyExemptionDescription) ? json('null') : policyExemptionDescription) + metadata: (empty(metadata) ? json('null') : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? json('null') : expiresOn) + } } +output policyExemptionName string = policyExemption.name output policyExemptionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policyExemptions',policyExemption.name) output policyExemptionScope string = subscription().id diff --git a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep index b8e82dbe67..07a694bcd7 100644 --- a/arm/Microsoft.Authorization/policyExemptions/deploy.bicep +++ b/arm/Microsoft.Authorization/policyExemptions/deploy.bicep @@ -42,22 +42,19 @@ param resourceGroupName string = '' param location string = deployment().location var policyExemptionName_var = toLower(replace(policyExemptionName, ' ', '-')) -var policyExemptionProperties_var = { - displayName: (empty(displayName) ? json('null') : displayName) - description: (empty(policyExemptionDescription) ? json('null') : policyExemptionDescription) - metadata: (empty(metadata) ? json('null') : metadata) - exemptionCategory: exemptionCategory - policyAssignmentId: policyAssignmentId - policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) - expiresOn: (empty(expiresOn) ? json('null') : expiresOn) -} module policyExemption_mg './.bicep/nested_policyExemptions_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${policyExemptionName_var}-mg' scope: managementGroup(managementGroupId) params: { policyExemptionName: policyExemptionName_var - policyExemptionProperties: policyExemptionProperties_var + displayName: (empty(displayName) ? '' : displayName) + policyExemptionDescription: (empty(policyExemptionDescription) ? '' : policyExemptionDescription) + metadata: (empty(metadata) ? {} : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? '' : expiresOn) managementGroupId: managementGroupId location: location } @@ -68,7 +65,13 @@ module policyExemption_sub './.bicep/nested_policyExemptions_sub.bicep' = if (em scope: subscription(subscriptionId) params: { policyExemptionName: policyExemptionName_var - policyExemptionProperties: policyExemptionProperties_var + displayName: (empty(displayName) ? '' : displayName) + policyExemptionDescription: (empty(policyExemptionDescription) ? '' : policyExemptionDescription) + metadata: (empty(metadata) ? {} : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? '' : expiresOn) subscriptionId: subscriptionId location: location } @@ -79,12 +82,19 @@ module policyExemption_rg './.bicep/nested_policyExemptions_rg.bicep' = if (empt scope: resourceGroup(subscriptionId, resourceGroupName) params: { policyExemptionName: policyExemptionName_var - policyExemptionProperties: policyExemptionProperties_var + displayName: (empty(displayName) ? '' : displayName) + policyExemptionDescription: (empty(policyExemptionDescription) ? '' : policyExemptionDescription) + metadata: (empty(metadata) ? {} : metadata) + exemptionCategory: exemptionCategory + policyAssignmentId: policyAssignmentId + policyDefinitionReferenceIds: (empty(policyDefinitionReferenceIds) ? [] : policyDefinitionReferenceIds) + expiresOn: (empty(expiresOn) ? '' : expiresOn) subscriptionId: subscriptionId + resourceGroupName: resourceGroupName location: location } } -output policyExemptionName string = policyExemptionName_var +output policyExemptionName string = !empty(managementGroupId) ? policyExemption_mg.outputs.policyExemptionName : (!empty(resourceGroupName) ? policyExemption_rg.outputs.policyExemptionName : policyExemption_sub.outputs.policyExemptionName) output policyExemptionId string = !empty(managementGroupId) ? policyExemption_mg.outputs.policyExemptionId : (!empty(resourceGroupName) ? policyExemption_rg.outputs.policyExemptionId : policyExemption_sub.outputs.policyExemptionId) output policyExemptionScope string = !empty(managementGroupId) ? policyExemption_mg.outputs.policyExemptionScope : (!empty(resourceGroupName) ? policyExemption_rg.outputs.policyExemptionScope : policyExemption_sub.outputs.policyExemptionScope) diff --git a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json index 32593e22a9..f8874b8db3 100644 --- a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json @@ -24,9 +24,6 @@ }, "subscriptionId": { "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" - }, - "resourceGroupName": { - "value": "validation-rg" } } } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep index 09346766c0..88ca14bd95 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_mg.bicep @@ -1,13 +1,29 @@ targetScope = 'managementGroup' param policySetDefinitionName string -param policySetDefinitionProperties object -param managementGroupId string +param displayName string = '' +param policySetDescription string = '' +param metadata object = {} +param policyDefinitions array +param policyDefinitionGroups array = [] +param parameters object = {} param location string = deployment().location +param managementGroupId string + +var policySetDefinitionName_var = replace(policySetDefinitionName, ' ', '-') resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { - name: policySetDefinitionName + name: policySetDefinitionName_var location: location - properties: policySetDefinitionProperties + properties: { + policyType: 'Custom' + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policySetDescription) ? json('null') : policySetDescription) + metadata: (empty(metadata) ? json('null') : metadata) + parameters: (empty(parameters) ? json('null') : parameters) + policyDefinitions: policyDefinitions + policyDefinitionGroups: (empty(policyDefinitionGroups) ? [] : policyDefinitionGroups) + } } -output policySetDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/policySetDefinitions',policySetDefinition.name) +output policySetDefinitionName string = policySetDefinition.name +output policySetDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policySetDefinitions', policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep index 4f06d7b38c..985689183b 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/.bicep/nested_policySetDefinition_sub.bicep @@ -1,13 +1,29 @@ targetScope = 'subscription' param policySetDefinitionName string -param policySetDefinitionProperties object -param subscriptionId string = subscription().id +param displayName string = '' +param policySetDescription string = '' +param metadata object = {} +param policyDefinitions array +param policyDefinitionGroups array = [] +param parameters object = {} param location string = deployment().location +param subscriptionId string = subscription().subscriptionId + +var policySetDefinitionName_var = replace(policySetDefinitionName, ' ', '-') resource policySetDefinition 'Microsoft.Authorization/policySetDefinitions@2020-09-01' = { - name: policySetDefinitionName + name: policySetDefinitionName_var location: location - properties: policySetDefinitionProperties + properties: { + policyType: 'Custom' + displayName: (empty(displayName) ? json('null') : displayName) + description: (empty(policySetDescription) ? json('null') : policySetDescription) + metadata: (empty(metadata) ? json('null') : metadata) + parameters: (empty(parameters) ? json('null') : parameters) + policyDefinitions: policyDefinitions + policyDefinitionGroups: (empty(policyDefinitionGroups) ? [] : policyDefinitionGroups) + } } -output policySetDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/policySetDefinitions',policySetDefinition.name) +output policySetDefinitionName string = policySetDefinition.name +output policySetDefinitionId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policySetDefinitions', policySetDefinition.name) diff --git a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep index f3a803fcdb..656ac0ef76 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/policySetDefinitions/deploy.bicep @@ -32,22 +32,18 @@ param parameters object = {} param location string = deployment().location var policySetDefinitionName_var = replace(policySetDefinitionName, ' ', '-') -var policySetDefinitionProperties_var = { - policyType: 'Custom' - displayName: (empty(displayName) ? json('null') : displayName) - description: (empty(policySetDescription) ? json('null') : policySetDescription) - metadata: (empty(metadata) ? json('null') : metadata) - parameters: (empty(parameters) ? json('null') : parameters) - policyDefinitions: policyDefinitions - policyDefinitionGroups: (empty(policyDefinitionGroups) ? [] : policyDefinitionGroups) -} module policySetDefinition_mg './.bicep/nested_policySetDefinition_mg.bicep' = if (empty(subscriptionId) && !empty(managementGroupId)) { name: '${policySetDefinitionName_var}-mgDeployment' scope: managementGroup(managementGroupId) params: { policySetDefinitionName: policySetDefinitionName_var - policySetDefinitionProperties: policySetDefinitionProperties_var + displayName: (empty(displayName) ? '' : displayName) + policySetDescription: (empty(policySetDescription) ? '' : policySetDescription) + metadata: (empty(metadata) ? {} : metadata) + parameters: (empty(parameters) ? {} : parameters) + policyDefinitions: policyDefinitions + policyDefinitionGroups: (empty(policyDefinitionGroups) ? [] : policyDefinitionGroups) managementGroupId: managementGroupId location: location } @@ -58,11 +54,16 @@ module policySetDefinition_sub './.bicep/nested_policySetDefinition_sub.bicep' = scope: subscription(subscriptionId) params: { policySetDefinitionName: policySetDefinitionName_var - policySetDefinitionProperties: policySetDefinitionProperties_var + displayName: (empty(displayName) ? '' : displayName) + policySetDescription: (empty(policySetDescription) ? '' : policySetDescription) + metadata: (empty(metadata) ? {} : metadata) + parameters: (empty(parameters) ? {} : parameters) + policyDefinitions: policyDefinitions + policyDefinitionGroups: (empty(policyDefinitionGroups) ? [] : policyDefinitionGroups) subscriptionId: subscriptionId location: location } } -output policySetDefinitionName string = policySetDefinitionName_var +output policySetDefinitionName string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.policySetDefinitionName : policySetDefinition_sub.outputs.policySetDefinitionName output policySetDefinitionId string = !empty(managementGroupId) ? policySetDefinition_mg.outputs.policySetDefinitionId : policySetDefinition_sub.outputs.policySetDefinitionId diff --git a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json index 09587c43d0..d8cf7bb27c 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json @@ -1,67 +1,66 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policySetDefinitionName": { - "value": "test-policySetExample" - }, - "policySetDescription": { - "value": "[Test] Set of security policies" - }, - "displayName": { - "value": "[Test] contoso security Policies" - }, - "policyDefinitionGroups": { - "value": [ - { - "name": "Network" + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policySetDefinitionName": { + "value": "test-policySetExample" + }, + "policySetDescription": { + "value": "[Test] Set of security policies" + }, + "displayName": { + "value": "[Test] contoso security Policies" + }, + "policyDefinitionGroups": { + "value": [ + { + "name": "Network" + }, + { + "name": "ARM" + } + ] + }, + "policyDefinitions": { + "value": [ + { + "groupNames": [ + "ARM" + ], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } }, - { - "name": "ARM" - } - ] - }, - "policyDefinitions": { - "value": [ - { - "groupNames": [ - "ARM" - ], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", - "policyDefinitionReferenceId": "Allowed locations_1" + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c", + "policyDefinitionReferenceId": "Allowed locations_1" + }, + { + "groupNames": [ + "ARM" + ], + "parameters": { + "listOfAllowedLocations": { + "value": [ + "australiaeast" + ] + } }, - { - "groupNames": [ - "ARM" - ], - "parameters": { - "listOfAllowedLocations": { - "value": [ - "australiaeast" - ] - } - }, - "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", - "policyDefinitionReferenceId": "Allowed locations for resource groups_1" - } - ] - }, - "metadata": { - "value": { - "category": "Security", - "version": "1" + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988", + "policyDefinitionReferenceId": "Allowed locations for resource groups_1" } - }, - "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + ] + }, + "metadata": { + "value": { + "category": "Security", + "version": "1" } + }, + "subscriptionId": { + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } } - \ No newline at end of file +} \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep new file mode 100644 index 0000000000..d0986d177d --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep @@ -0,0 +1,196 @@ +targetScope = 'managementGroup' + +param roleDefinitionIdOrName string +param principalId string +param managementGroupId string +param location string = deployment().location + +var builtInRoleNames_var = { + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' + 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' + 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' + 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' + 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' + 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' + 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' + 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' + 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' + 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' + 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' + 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' + 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' + 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' + 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' + 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' + 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' + 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' + 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' + 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' + 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' + 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' + 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' + 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' + 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' + 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' + 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' + 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' + 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' + 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' + 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' + 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' + 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' + 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' + 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' + 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' + 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' + 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' + 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' + 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' + 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' + 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' + 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' + 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' + 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' + 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' +} + +var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { + name: guid(managementGroupId, location, roleDefinitionId_var, principalId) + properties: { + roleDefinitionId: roleDefinitionId_var + principalId: principalId + } +} + +output roleAssignmentName string = roleAssignment.name +output roleAssignmentScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) +output roleAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep new file mode 100644 index 0000000000..979aa70732 --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep @@ -0,0 +1,196 @@ +targetScope = 'resourceGroup' + +param roleDefinitionIdOrName string +param principalId string +param subscriptionId string = subscription().subscriptionId +param resourceGroupName string = resourceGroup().name +param location string = resourceGroup().location + +var builtInRoleNames_var = { + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' + 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' + 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' + 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' + 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' + 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' + 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' + 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' + 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' + 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' + 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' + 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' + 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' + 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' + 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' + 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' + 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' + 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' + 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' + 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' + 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' + 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' + 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' + 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' + 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' + 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' + 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' + 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' + 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' + 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' + 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' + 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' + 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' + 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' + 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' + 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' + 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' + 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' + 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' + 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' + 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' + 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' + 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' + 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' + 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' + 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' +} +var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { + name: guid(subscriptionId, resourceGroupName, location, roleDefinitionId_var, principalId) + properties: { + roleDefinitionId: roleDefinitionId_var + principalId: principalId + } +} + +output roleAssignmentName string = roleAssignment.name +output roleAssignmentScope string = resourceGroup().id +output roleAssignmentId string = resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep new file mode 100644 index 0000000000..216c4c97de --- /dev/null +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep @@ -0,0 +1,196 @@ +targetScope = 'subscription' + +param roleDefinitionIdOrName string +param principalId string +param subscriptionId string = subscription().subscriptionId +param location string = deployment().location + +var builtInRoleNames_var = { + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' + 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' + 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' + 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' + 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' + 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' + 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' + 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' + 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' + 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' + 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' + 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' + 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' + 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' + 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' + 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' + 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' + 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' + 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' + 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' + 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' + 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' + 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' + 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' + 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' + 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' + 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' + 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' + 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' + 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' + 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' + 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' + 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' + 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' + 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' + 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' + 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' + 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' + 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' + 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' + 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' + 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' + 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' + 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' + 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' + 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' + 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' + 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' + 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' + 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' + 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' + 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' + 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' + 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' + 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' + 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' + 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' +} +var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) + + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { + name: guid(subscriptionId, roleDefinitionId_var, location, principalId) + properties: { + roleDefinitionId: roleDefinitionId_var + principalId: principalId + } +} + +output roleAssignmentName string = roleAssignment.name +output roleAssignmentScope string = subscription().id +output roleAssignmentId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep deleted file mode 100644 index dca1c01691..0000000000 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_mg.bicep +++ /dev/null @@ -1,17 +0,0 @@ -targetScope = 'managementGroup' - -param roleDefinitionId string -param principalId string -param managementGroupId string -param location string = deployment().location - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { - name: guid(managementGroupId, location, roleDefinitionId, principalId) - properties: { - roleDefinitionId: roleDefinitionId - principalId: principalId - } -} - -output roleAssignmentScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) -output roleAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep deleted file mode 100644 index 70ce294a19..0000000000 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_rg.bicep +++ /dev/null @@ -1,18 +0,0 @@ -targetScope = 'resourceGroup' - -param roleDefinitionId string -param principalId string -param subscriptionId string -param resourceGroupName string -param location string = resourceGroup().location - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { - name: guid(subscriptionId, resourceGroupName, location, roleDefinitionId, principalId) - properties: { - roleDefinitionId: roleDefinitionId - principalId: principalId - } -} - -output roleAssignmentScope string = resourceGroup().id -output roleAssignmentId string = resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep deleted file mode 100644 index 2b44837e12..0000000000 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_roleAssignments_sub.bicep +++ /dev/null @@ -1,17 +0,0 @@ -targetScope = 'subscription' - -param roleDefinitionId string -param principalId string -param subscriptionId string -param location string = deployment().location - -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { - name: guid(subscriptionId, roleDefinitionId, location, principalId) - properties: { - roleDefinitionId: roleDefinitionId - principalId: principalId - } -} - -output roleAssignmentScope string = subscription().id -output roleAssignmentId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleAssignments',roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index affbc66dbf..3cc992de4a 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -18,211 +18,33 @@ param managementGroupId string = '' @description('Optional. Location for all resources.') param location string = deployment().location -var builtInRoleNames_var = { - 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' - 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' - 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' - 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' - 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' - 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' - 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' - 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' - 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' - 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' - 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' - 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' - 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' - 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' - 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' - 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' - 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' - 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' - 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' - 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' - 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' - 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' - 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' - 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' - 'CDN Profile Reader': '/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af' - 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' - 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' - 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' - 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' - 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' - 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' - 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' - 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' - 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' - 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' - 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' - 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' - 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' - 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' - 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' - 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' - 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' - 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' - 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' - 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' - 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' - 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' - 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' - 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' - 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' - 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' - 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' - 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' - 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' - 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' - 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' - 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' - 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' - 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' - 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' - 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' - 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' - 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' - 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' - 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' - 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' - 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' - 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' - 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' - 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' - 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' - 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' - 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' - 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' - 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' - 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' - 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' - 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' - 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' - 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' - 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' - 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' - 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' - 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' - 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' - 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' - 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' - 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' - 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' -} - -var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) - -module roleAssignment_mg './.bicep/nested_roleAssignments_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { - name: 'roleAssignment-mg-${guid(roleDefinitionId_var,principalId)}' +module roleAssignment_mg './.bicep/nested_rbac_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { + name: 'roleAssignment-mg-${guid(roleDefinitionIdOrName,principalId)}' scope: managementGroup(managementGroupId) params: { - roleDefinitionId: roleDefinitionId_var + roleDefinitionIdOrName: roleDefinitionIdOrName principalId: principalId managementGroupId: managementGroupId location: location } } -module roleAssignment_sub './.bicep/nested_roleAssignments_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { - name: 'roleAssignment-sub-${guid(roleDefinitionId_var,principalId)}' +module roleAssignment_sub './.bicep/nested_rbac_sub.bicep' = if (empty(managementGroupId) && !empty(subscriptionId) && empty(resourceGroupName)) { + name: 'roleAssignment-sub-${guid(roleDefinitionIdOrName,principalId)}' scope: subscription(subscriptionId) params: { - roleDefinitionId: roleDefinitionId_var + roleDefinitionIdOrName: roleDefinitionIdOrName principalId: principalId subscriptionId: subscriptionId location: location } } -module roleAssignment_rg './.bicep/nested_roleAssignments_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { - name: 'roleAssignment-${guid(roleDefinitionId_var,principalId)}' +module roleAssignment_rg './.bicep/nested_rbac_rg.bicep' = if (empty(managementGroupId) && !empty(resourceGroupName) && !empty(subscriptionId)) { + name: 'roleAssignment-${guid(roleDefinitionIdOrName,principalId)}' scope: resourceGroup(subscriptionId, resourceGroupName) params: { - roleDefinitionId: roleDefinitionId_var + roleDefinitionIdOrName: roleDefinitionIdOrName principalId: principalId subscriptionId: subscriptionId resourceGroupName: resourceGroupName @@ -230,5 +52,6 @@ module roleAssignment_rg './.bicep/nested_roleAssignments_rg.bicep' = if (empty( } } +output roleAssignmentName string = !empty(managementGroupId) ? roleAssignment_mg.outputs.roleAssignmentName : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.roleAssignmentName : roleAssignment_sub.outputs.roleAssignmentName) output roleAssignmentId string = !empty(managementGroupId) ? roleAssignment_mg.outputs.roleAssignmentId : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.roleAssignmentId : roleAssignment_sub.outputs.roleAssignmentId) output roleAssignmentScope string = !empty(managementGroupId) ? roleAssignment_mg.outputs.roleAssignmentScope : (!empty(resourceGroupName) ? roleAssignment_rg.outputs.roleAssignmentScope : roleAssignment_sub.outputs.roleAssignmentScope) diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index f3dc3c569c..9e9c9df7cd 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -60,6 +60,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour | Output Name | Type | Description | | :-- | :-- | :-- | +| `roleAssignmentName` | string | The name of the role assignment | | `roleAssignmentScope` | string | The scope of the assignments defined in this module were created on. | | `roleAssignmentId` | array | Role Assignment Resource ID | diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep index 046d641681..b31640394f 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_mg.bicep @@ -29,5 +29,6 @@ resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-prev } } +output roleDefinitionName string = roleDefinition.name output roleDefinitionScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) output roleDefinitionId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleDefinitions',roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep index c8c9477e6e..aefe1d745f 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_rg.bicep @@ -6,7 +6,7 @@ param actions array = [] param notActions array = [] param dataActions array = [] param notDataActions array = [] -param subscriptionId string = subscription().id +param subscriptionId string = subscription().subscriptionId param resourceGroupName string = resourceGroup().name param location string = resourceGroup().location @@ -30,5 +30,6 @@ resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-prev } } +output roleDefinitionName string = roleDefinition.name output roleDefinitionScope string = resourceGroup().id output roleDefinitionId string = roleDefinition.id diff --git a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep index 6b3fa00545..41417f05a3 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/.bicep/nested_roleDefinitions_sub.bicep @@ -6,7 +6,7 @@ param actions array = [] param notActions array = [] param dataActions array = [] param notDataActions array = [] -param subscriptionId string +param subscriptionId string = subscription().subscriptionId param location string = deployment().location resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = { @@ -29,5 +29,6 @@ resource roleDefinition 'Microsoft.Authorization/roleDefinitions@2018-01-01-prev } } +output roleDefinitionName string = roleDefinition.name output roleDefinitionScope string = subscription().id output roleDefinitionId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleDefinitions',roleDefinition.name) diff --git a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep index 0a972325b1..fbfa68ddb5 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep +++ b/arm/Microsoft.Authorization/roleDefinitions/deploy.bicep @@ -76,5 +76,6 @@ module roleDefinition_rg './.bicep/nested_roleDefinitions_rg.bicep' = if (empty( } } +output roleDefinitionName string = !empty(managementGroupId) ? roleDefinition_mg.outputs.roleDefinitionName : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.roleDefinitionName : roleDefinition_sub.outputs.roleDefinitionName) output roleDefinitionId string = !empty(managementGroupId) ? roleDefinition_mg.outputs.roleDefinitionId : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.roleDefinitionId : roleDefinition_sub.outputs.roleDefinitionId) output roleDefinitionScope string = !empty(managementGroupId) ? roleDefinition_mg.outputs.roleDefinitionScope : (!empty(resourceGroupName) ? roleDefinition_rg.outputs.roleDefinitionScope : roleDefinition_sub.outputs.roleDefinitionScope) diff --git a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json index d66e19809e..09dd933504 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json @@ -3,13 +3,7 @@ "contentVersion": "1.0.0.0", "parameters": { "roleName": { - "value": "myCustomRoleAtRg" - }, - "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" - }, - "resourceGroupName": { - "value": "validation-rg" + "value": "myCustomRoleAtSub" }, "roleDescription": { "value": "" @@ -35,6 +29,9 @@ }, "notDataActions": { "value": [] + }, + "subscriptionId": { + "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" } } } \ No newline at end of file diff --git a/arm/Microsoft.Authorization/roleDefinitions/readme.md b/arm/Microsoft.Authorization/roleDefinitions/readme.md index 16f78000a9..bc810c19eb 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/readme.md +++ b/arm/Microsoft.Authorization/roleDefinitions/readme.md @@ -64,6 +64,7 @@ To deploy resource to a Resource Group, provide the `subscriptionId` and `resour | Output Name | Type | Description | | :-- | :-- | :-- | +| `roleDefinitionName` | string | The name of the role definition | | `roleDefinitionId` | string | The id of the role definition that was created. | | `roleDefinitionScope` | string | The scope this definition was created on. | diff --git a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep index b5d7e632db..961e403210 100644 --- a/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Automation/automationAccounts/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param automationAccountName string +param resourceName string -resource nested_rbac 'Microsoft.Automation/automationAccounts/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${automationAccountName}/Microsoft.Authorization/${guid(automationAccountName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.Automation/automationAccounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Automation/automationAccounts/deploy.bicep b/arm/Microsoft.Automation/automationAccounts/deploy.bicep index 3bfadef922..e3e7a836b3 100644 --- a/arm/Microsoft.Automation/automationAccounts/deploy.bicep +++ b/arm/Microsoft.Automation/automationAccounts/deploy.bicep @@ -114,23 +114,23 @@ var diagnosticsLogs = [ ] var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','f353d9bd-d4a6-484e-a77a-8050b599b867') - 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4fe576fe-1146-4730-92eb-48519fa6bf9f') - 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','d3881f73-407a-4167-8283-e981cbba0404') - 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Automation Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f353d9bd-d4a6-484e-a77a-8050b599b867') + 'Automation Job Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4fe576fe-1146-4730-92eb-48519fa6bf9f') + 'Automation Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'd3881f73-407a-4167-8283-e981cbba0404') + 'Automation Runbook Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -236,16 +236,13 @@ module automationAccount_privateEndpoints './.bicep/nested_privateEndpoint.bicep ] }] -module automationAccount_rbac './.bicep/nested_rbac.bicep' = [for (item, index) in roleAssignments: { +module automationAccount_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - automationAccountName: automationAccountName + resourceName: automationAccount.name } - dependsOn: [ - automationAccount - ] }] output automationAccountResourceId string = automationAccount.id diff --git a/arm/Microsoft.Automation/automationAccounts/readme.md b/arm/Microsoft.Automation/automationAccounts/readme.md index 66367cf3ef..05f54f6877 100644 --- a/arm/Microsoft.Automation/automationAccounts/readme.md +++ b/arm/Microsoft.Automation/automationAccounts/readme.md @@ -13,7 +13,7 @@ This module deploys an Azure Automation Account, with resource lock. |`Microsoft.Automation/automationAccounts/jobSchedules`|2015-10-31| |`Microsoft.Automation/automationAccounts/runbooks`|2018-06-30| |`Microsoft.Automation/automationAccounts/providers/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.Automation/automationAccounts/providers/roleAssignments`|2018-09-01-preview| +|`Microsoft.Automation/automationAccounts/providers/roleAssignments`|2020-04-01-preview| |`Microsoft.Network/privateEndpoints`|2020-05-01| |`Microsoft.Network/privateEndpoints/privateDnsZoneGroups`|2020-05-01| @@ -121,7 +121,7 @@ List of schedules to be created in the automation account "scheduleName": "ScalingRunbook_Schedule", // The schedule name. "startTime": "", // Gets or sets the start time of the schedule. "expiryTime": "9999-12-31T23:59:00+00:00", // Gets or sets the end time of the schedule. - "interval": 15, // Gets or sets the interval of the schedule. + "interval": 15, // Gets or sets the interval of the schedule. "frequency": "Minute", // Gets or sets the frequency of the schedule. - OneTime, Day, Hour, Week, Month, Minute "timeZone": "Europe/Berlin", // Gets or sets the time zone of the schedule. "advancedSchedule": "" // Gets or sets the AdvancedSchedule diff --git a/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep index 31c1651f42..69e4a5a6be 100644 --- a/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/galleries/.bicep/nested_rbac.bicep @@ -1,12 +1,12 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param galleryName string +param resourceName string + +resource roleAssigment 'Microsoft.Compute/galleries/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' -resource nested_rbac 'Microsoft.Compute/galleries/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${galleryName}/Microsoft.Authorization/${guid(uniqueString('${galleryName}${principalId}${roleAssignment.roleDefinitionIdOrName}'))}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Compute/galleries/deploy.bicep b/arm/Microsoft.Compute/galleries/deploy.bicep index 8bb554db38..2ae5486317 100644 --- a/arm/Microsoft.Compute/galleries/deploy.bicep +++ b/arm/Microsoft.Compute/galleries/deploy.bicep @@ -61,16 +61,13 @@ resource gallery_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDe scope: gallery } -module rbac_name './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module gallery_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - galleryName: galleryName + resourceName: gallery.name } - dependsOn: [ - gallery - ] }] output galleryResourceId string = gallery.id diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep b/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep index 40d5e3aff5..f87dcfbd16 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/.bicep/nested_rbac.bicep @@ -1,12 +1,12 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param vmssName string +param resourceName string + +resource roleAssigment 'Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' -resource nested_rbac 'Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${vmssName}/Microsoft.Authorization/${guid(uniqueString('${vmssName}${principalId}${roleAssignment.roleDefinitionIdOrName}'))}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep index 6a69b00617..a9f193ba42 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/deploy.bicep @@ -174,7 +174,7 @@ param domainJoinOptions int = 3 param dscConfiguration object = {} @description('Optional. Storage account boot diagnostic base URI.') -param bootDiagnosticStorageAccountUri string = '.blob.${environment().suffixes.storage}/' +param bootDiagnosticStorageAccountUri string = '.blob.${environment().suffixes.storage}/' @description('Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided.') param bootDiagnosticStorageAccountName string = '' @@ -322,9 +322,9 @@ param managedIdentityType string = '' @description('Optional. The list of user identities associated with the virtual machine scale set. The user identity dictionary key references will be ARM resource ids in the form: \'/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}\'.') param managedIdentityIdentities object = {} -var publicKeysFormatted = [for item in publicKeys : { - path: item.path - keyData: item.keyData +var publicKeysFormatted = [for publicKey in publicKeys: { + path: publicKey.path + keyData: publicKey.keyData }] var linuxConfiguration = { disablePasswordAuthentication: disablePasswordAuthentication @@ -334,7 +334,6 @@ var linuxConfiguration = { provisionVMAgent: provisionVMAgent } - var windowsConfiguration = { provisionVMAgent: provisionVMAgent enableAutomaticUpdates: enableAutomaticUpdates @@ -750,16 +749,13 @@ resource vmss_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05- scope: vmss } -module vmss_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module vmss_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - vmssName: vmssName + resourceName: vmss.name } - dependsOn: [ - vmss - ] }] output vmssResourceIds string = vmss.id diff --git a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md index e037e7a0b1..fc2e3731ca 100644 --- a/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md +++ b/arm/Microsoft.Compute/virtualMachineScaleSets/readme.md @@ -9,7 +9,7 @@ This module deploys a virtual machine scale set | `Microsoft.Compute/ProximityPlacementGroups` | 2021-04-01 | | `Microsoft.Compute/virtualMachineScaleSets/extensions` | 2020-06-01 | | `Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings` | 2017-05-01-preview | -| `Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Compute/virtualMachineScaleSets/providers/roleAssignments` | 2020-04-01-preview | | `Microsoft.Compute/virtualMachineScaleSets` | 2021-04-01 | | `Microsoft.Resources/deployments` | 2020-06-01 | | `providers/locks` | 2016-09-01 | @@ -388,4 +388,4 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2020-06-01/deployments) - [ProximityPlacementGroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2019-12-01/ProximityPlacementGroups) -- [VirtualMachineScaleSets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-06-01/virtualMachineScaleSets) \ No newline at end of file +- [VirtualMachineScaleSets](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Compute/2020-06-01/virtualMachineScaleSets) diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep index 79f0df751c..78b4431492 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.bicep @@ -17,7 +17,7 @@ module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource applications_res 'Microsoft.DesktopVirtualization/applicationGroups/applications@2019-12-10-preview' = [for application in applications: { +resource applications_res 'Microsoft.DesktopVirtualization/applicationGroups/applications@2021-07-12' = [for application in applications: { name: '${appGroupName}/${application.name}' properties: { description: application.description diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json index 3fd1f3b374..fd4724ef9d 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/deploy.json @@ -51,7 +51,7 @@ }, { "type": "Microsoft.DesktopVirtualization/applicationGroups/applications", - "apiVersion": "2019-12-10-preview", + "apiVersion": "2021-07-12", "copy": { "name": "appCopy", "count": "[length(parameters('applications'))]" diff --git a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md index 473bf375ff..a452d3a06e 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md +++ b/arm/Microsoft.DesktopVirtualization/applicationGroupsResources/applications/readme.md @@ -9,7 +9,7 @@ This module deploys AVD Applications. |Resource Type|ApiVersion| |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.DesktopVirtualization/applicationGroups/applications`|2019-12-10-preview| +|`Microsoft.DesktopVirtualization/applicationGroups/applications`|2021-07-12| ## Parameters @@ -50,6 +50,7 @@ This module deploys AVD Applications. } ] } +``` ## Outputs @@ -68,3 +69,4 @@ This module deploys AVD Applications. - [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) - [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) +- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/applicationgroups/applications) \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep b/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep index 8264b85771..51d0a975a5 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param appGroupName string +param resourceName string -resource nested_rbac 'Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${appGroupName}/Microsoft.Authorization/${guid(appGroupName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep index bbf885de42..765892e05f 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.bicep @@ -78,27 +78,27 @@ var diagnosticsLogs = [ } ] var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','86240b0e-9422-4c43-887b-b61143f32ba8') - 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') + 'Desktop Virtualization Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '86240b0e-9422-4c43-887b-b61143f32ba8') + 'Desktop Virtualization Application Group Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aebf23d0-b568-4e86-b8f9-fe83a2c6ab55') + 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') + 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') + 'Desktop Virtualization User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63') + 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') + 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -106,7 +106,7 @@ module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource appGroup 'Microsoft.DesktopVirtualization/applicationgroups@2020-11-02-preview' = { +resource appGroup 'Microsoft.DesktopVirtualization/applicationgroups@2021-07-12' = { name: appGroupName location: location tags: tags @@ -139,16 +139,13 @@ resource appGroup_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017 scope: appGroup } -module appGroup_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module appGroup_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - appGroupName: appGroupName + resourceName: appGroup.name } - dependsOn: [ - appGroup - ] }] output appGroupResourceId string = appGroup.id diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json index 56281deed3..3643b138d6 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/deploy.json @@ -185,7 +185,7 @@ }, { "type": "Microsoft.DesktopVirtualization/applicationgroups", - "apiVersion": "2020-11-02-preview", + "apiVersion": "2021-07-12", "name": "[parameters('appGroupName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", diff --git a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md index 44f962ebcc..e9efc566eb 100644 --- a/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md +++ b/arm/Microsoft.DesktopVirtualization/applicationgroups/readme.md @@ -7,16 +7,16 @@ This module deploys AVD Application Groups, with resource lock and diagnostics c |Resource Type|ApiVersion| |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| -|`Microsoft.DesktopVirtualization/applicationgroups`|2019-12-10-preview| +|`Microsoft.DesktopVirtualization/applicationgroups`|2021-07-12| |`providers/locks`|2016-09-01| |`Microsoft.DesktopVirtualization/applicationgroups/providers/diagnosticsettings`|2017-05-01-preview| -|`Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments`|2018-09-01-preview| +|`Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments`|2020-04-01-preview| ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | +| Parameter Name | Type | Description | DefaultValue | Possible values | | :-- | :-- | :-- | :-- | :-- | -| `appGroupDescription` | string | Optional. The description of the Application Group to be created. | | | +| `appGroupDescription` | string | Optional. The description of the Application Group to be created. | | | | `appGroupFriendlyName` | string | Optional. The friendly name of the Application Group to be created. | | | | `appGroupName` | string | Required. Name of the Application Group to create this application in. | | | | `appGroupType` | string | Required. The type of the Application Group to be created. Allowed values: RemoteApp or Desktop | | System.Object[] | @@ -94,4 +94,5 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) - [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/applicationgroups) diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep b/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep index ac2130051d..0a0800f015 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.DesktopVirtualization/hostpools/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param hostPoolName string +param resourceName string -resource nested_rbac 'Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${hostPoolName}/Microsoft.Authorization/${guid(hostPoolName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.DesktopVirtualization/hostpools/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep index dcb682e3b1..b9cb5ebfa8 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.bicep @@ -178,7 +178,7 @@ module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource hostPool 'Microsoft.DesktopVirtualization/hostpools@2020-11-02-preview' = { +resource hostPool 'Microsoft.DesktopVirtualization/hostpools@2021-07-12' = { name: hostPoolName location: location tags: tags @@ -224,16 +224,13 @@ resource hostPool_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017 scope: hostPool } -module hostPool_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) in roleAssignments: { +module hostPool_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Rbac-${index}' params: { - roleAssignment: roleassignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - hostPoolName: hostPoolName + resourceName: hostPool.name } - dependsOn: [ - hostPool - ] }] output hostPoolResourceId string = hostPool.id diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json index 167e7ae3f9..5ee877de45 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json +++ b/arm/Microsoft.DesktopVirtualization/hostpools/deploy.json @@ -299,7 +299,7 @@ }, { "type": "Microsoft.DesktopVirtualization/hostpools", - "apiVersion": "2020-11-02-preview", + "apiVersion": "2021-07-12", "name": "[parameters('hostpoolName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", diff --git a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md index 32d62ff9e7..502dc4c224 100644 --- a/arm/Microsoft.DesktopVirtualization/hostpools/readme.md +++ b/arm/Microsoft.DesktopVirtualization/hostpools/readme.md @@ -7,7 +7,7 @@ This module deploys AVD Host Pools, with resource lock and diagnostics configura |Resource Type|ApiVersion| |:--|:--| -|`Microsoft.DesktopVirtualization/hostpools`|2019-12-10-preview| +|`Microsoft.DesktopVirtualization/hostpools`|2021-07-12| |`Microsoft.DesktopVirtualization/hostpools/providers/diagnosticsettings`|2017-05-01-preview| |`providers/locks`|2016-09-01| |`Microsoft.Resources/deployments`|2018-02-01| @@ -143,4 +143,5 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) - [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/hostpools) \ No newline at end of file diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep b/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep index af9408c08f..c829a33eb0 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.DesktopVirtualization/workspaces/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param workspaceName string +param resourceName string -resource nested_rbac 'Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${workspaceName}/Microsoft.Authorization/${guid(workspaceName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.DesktopVirtualization/workspaces/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep index 26ad52ec54..d7c7e10dfa 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep +++ b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.bicep @@ -79,24 +79,24 @@ var diagnosticsLogs = [ ] var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','ca6382a4-1721-4bcf-a114-ff0c70227b6b') - 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','082f0a83-3be5-4ba1-904c-961cca79b387') - 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','49a72310-ab8d-41df-bbb0-79b649203868') - 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21efdde3-836f-432b-bf3d-3e8e734d4b2b') - 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Application Group Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ca6382a4-1721-4bcf-a114-ff0c70227b6b') + 'Desktop Virtualization Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '082f0a83-3be5-4ba1-904c-961cca79b387') + 'Desktop Virtualization Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '49a72310-ab8d-41df-bbb0-79b649203868') + 'Desktop Virtualization Workspace Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '21efdde3-836f-432b-bf3d-3e8e734d4b2b') + 'Desktop Virtualization Workspace Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0fa44ee9-7a7d-466b-9bb2-2bf446b1204d') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -104,7 +104,7 @@ module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource workspace 'Microsoft.DesktopVirtualization/workspaces@2020-11-02-preview' = { +resource workspace 'Microsoft.DesktopVirtualization/workspaces@2021-07-12' = { name: workSpaceName location: location tags: tags @@ -136,18 +136,15 @@ resource workspace_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@201 scope: workspace } -module workspace_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) in roleAssignments: { +module workspace_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-Rbac-${index}' params: { - roleAssignment: roleassignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - workspaceName: workSpaceName + resourceName: workspace.name } - dependsOn: [ - workspace - ] }] output workspaceResourceId string = workspace.id output workspaceResourceGroup string = resourceGroup().name -output workspaceName string = workSpaceName +output workspaceName string = workspace.name diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json index ce926f5b3a..e2bf8d7a3c 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json +++ b/arm/Microsoft.DesktopVirtualization/workspaces/deploy.json @@ -181,7 +181,7 @@ }, { "type": "Microsoft.DesktopVirtualization/workspaces", - "apiVersion": "2020-11-02-preview", + "apiVersion": "2021-07-12", "name": "[parameters('workSpaceName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", diff --git a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md index c8d27f5739..57d0030bc0 100644 --- a/arm/Microsoft.DesktopVirtualization/workspaces/readme.md +++ b/arm/Microsoft.DesktopVirtualization/workspaces/readme.md @@ -8,7 +8,7 @@ This module deploys AVD Workspaces, with resource lock and diagnostic configurat |Resource Type|ApiVersion| |:--|:--| -|`Microsoft.DesktopVirtualization/workspaces`|2019-12-10-preview| +|`Microsoft.DesktopVirtualization/workspaces`|2021-07-12| |`Microsoft.DesktopVirtualization/workspaces/providers/diagnosticsettings`|2017-05-01-preview| |`Microsoft.Resources/deployments`|2018-02-01| |`providers/locks`|2016-09-01| @@ -27,10 +27,9 @@ This module deploys AVD Workspaces, with resource lock and diagnostic configurat | `location` | string | Optional. Location for all resources. | [resourceGroup().location] | | | `lockForDeletion` | bool | Optional. Switch to lock Resource from deletion. | False | | | `roleAssignments` | array | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | System.Object[] | | - | `tags` | object | Optional. Tags of the resource. | | | | `workspaceDescription` | string | Optional. The description of the Workspace to be created. | | | -| `workspaceFriendlyName` | string | Optional. The friendly name of the Workspace to be created. | | | +| `workspaceFriendlyName` | string | Optional. The friendly name of the Workspace to be created. | | | | `workspaceId` | string | Optional. Resource identifier of Log Analytics. | | | | `workSpaceName` | String | Required. The name of the workspace to be attach to new Application Group. | | | @@ -96,4 +95,5 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [What is Windows Virtual Desktop?](https://docs.microsoft.com/en-us/azure/virtual-desktop/overview) - [Windows Virtual Desktop environment](https://docs.microsoft.com/en-us/azure/virtual-desktop/environment-setup) -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) \ No newline at end of file +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.desktopvirtualization/2021-07-12/workspaces) \ No newline at end of file diff --git a/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep index d45c5dc704..988bfbbab1 100644 --- a/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/actionGroups/.bicep/nested_rbac.bicep @@ -1,11 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: guid(resourceName, principalId, roleAssignment.roleDefinitionIdOrName) +resource roleAssigment 'microsoft.insights/actionGroups/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } }] diff --git a/arm/Microsoft.Insights/actionGroups/deploy.bicep b/arm/Microsoft.Insights/actionGroups/deploy.bicep index c8d5f31fdc..16be55d370 100644 --- a/arm/Microsoft.Insights/actionGroups/deploy.bicep +++ b/arm/Microsoft.Insights/actionGroups/deploy.bicep @@ -94,13 +94,10 @@ resource actionGroup 'microsoft.insights/actionGroups@2019-06-01' = { module actionGroup_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: roleAssignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames resourceName: actionGroup.name } - dependsOn: [ - actionGroup - ] }] output deploymentResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep index d45c5dc704..bc4dd72866 100644 --- a/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/activityLogAlerts/.bicep/nested_rbac.bicep @@ -1,11 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: guid(resourceName, principalId, roleAssignment.roleDefinitionIdOrName) +resource roleAssigment 'Microsoft.Insights/activityLogAlerts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } }] diff --git a/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep b/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep index 51ef1e27a1..1a9c8a8c39 100644 --- a/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep +++ b/arm/Microsoft.Insights/activityLogAlerts/deploy.bicep @@ -12,7 +12,7 @@ param enabled bool = true @description('Required. the list of resource id\'s that this metric alert is scoped to.') param scopes array = [ - subscription().id + subscription().id ] @description('Optional. The list of actions to take when alert triggers.') @@ -31,8 +31,8 @@ param tags object = {} param cuaId string = '' var actionGroups = [for action in actions: { - actionGroupId: contains(action, 'actionGroupId') ? action.actionGroupId : action - webhookProperties: contains(action, 'webhookProperties') ? action.webhookProperties : json('null') + actionGroupId: contains(action, 'actionGroupId') ? action.actionGroupId : action + webhookProperties: contains(action, 'webhookProperties') ? action.webhookProperties : json('null') }] var builtInRoleNames = { @@ -77,13 +77,10 @@ resource activityLogAlert 'Microsoft.Insights/activityLogAlerts@2020-10-01' = { module activityLogAlert_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: roleAssignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames resourceName: activityLogAlert.name } - dependsOn: [ - activityLogAlert - ] }] output activityLogAlertName string = activityLogAlert.name diff --git a/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep index ae27c4fd7d..a864a1d86c 100644 --- a/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/components/.bicep/nested_rbac.bicep @@ -1,11 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource nested_rbac 'Microsoft.Insights/components/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.Insights/components/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } }] diff --git a/arm/Microsoft.Insights/components/deploy.bicep b/arm/Microsoft.Insights/components/deploy.bicep index 650a941e31..7423a4aa96 100644 --- a/arm/Microsoft.Insights/components/deploy.bicep +++ b/arm/Microsoft.Insights/components/deploy.bicep @@ -81,13 +81,10 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = { module appInsights_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: roleAssignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames resourceName: appInsights.name } - dependsOn: [ - appInsights - ] }] output appInsightsName string = appInsightsName diff --git a/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep b/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep index d45c5dc704..5302382cb3 100644 --- a/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Insights/metricAlerts/.bicep/nested_rbac.bicep @@ -1,11 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object param resourceName string -resource roleAssigment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: guid(resourceName, principalId, roleAssignment.roleDefinitionIdOrName) +resource roleAssigment 'Microsoft.Insights/metricAlerts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName + roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } }] diff --git a/arm/Microsoft.Insights/metricAlerts/deploy.bicep b/arm/Microsoft.Insights/metricAlerts/deploy.bicep index 9fc416e18a..a2a916c9e2 100644 --- a/arm/Microsoft.Insights/metricAlerts/deploy.bicep +++ b/arm/Microsoft.Insights/metricAlerts/deploy.bicep @@ -45,7 +45,7 @@ param windowSize string = 'PT15M' @description('Optional. the list of resource id\'s that this metric alert is scoped to.') param scopes array = [ - subscription().id + subscription().id ] @description('Optional. The resource type of the target resource(s) on which the alert is created/updated. Mandatory for MultipleResourceMultipleMetricCriteria.') @@ -81,8 +81,8 @@ param tags object = {} param cuaId string = '' var actionGroups = [for action in actions: { - actionGroupId: contains(action, 'actionGroupId') ? action.actionGroupId : action - webHookProperties: contains(action, 'webHookProperties') ? action.webHookProperties : json('null') + actionGroupId: contains(action, 'actionGroupId') ? action.actionGroupId : action + webHookProperties: contains(action, 'webHookProperties') ? action.webHookProperties : json('null') }] var builtInRoleNames = { @@ -135,13 +135,10 @@ resource metricAlert 'Microsoft.Insights/metricAlerts@2018-03-01' = { module metricAlert_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: roleAssignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames resourceName: metricAlert.name } - dependsOn: [ - metricAlert - ] }] output deploymentResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep index 067e223503..e5a34cad11 100644 --- a/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.KeyVault/vaults/.bicep/nested_rbac.bicep @@ -1,13 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param keyVaultName string +param resourceName string - -resource nested_rbac 'Microsoft.Storage/storageAccounts/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${keyVaultName}/Microsoft.Authorization/${guid(keyVaultName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.KeyVault/vaults/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.KeyVault/vaults/deploy.bicep b/arm/Microsoft.KeyVault/vaults/deploy.bicep index 7bd568856b..e2c6a0f0e4 100644 --- a/arm/Microsoft.KeyVault/vaults/deploy.bicep +++ b/arm/Microsoft.KeyVault/vaults/deploy.bicep @@ -253,19 +253,16 @@ module keyVault_privateEndpoints './.bicep/nested_privateEndpoint.bicep' = [for ] }] -module keyVault_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module keyVault_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - keyVaultName: keyVaultName_var + resourceName: keyVault.name } - dependsOn: [ - keyVault - ] }] output keyVaultResourceId string = keyVault.id output keyVaultResourceGroup string = resourceGroup().name -output keyVaultName string = keyVaultName_var +output keyVaultName string = keyVault.name output keyVaultUrl string = reference(keyVault.id, '2016-10-01').vaultUri diff --git a/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep b/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep index 276d1b47a9..4ef6bce6a0 100644 --- a/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Logic/workflows/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param logicAppName string +param resourceName string -resource logicAppName_Microsoft_Authorization_logicAppName_roleAssignment_principalIds_innerRbacCopy_roleAssignment_roleDefinitionIdOrName 'Microsoft.Logic/workflows/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${logicAppName}/Microsoft.Authorization/${guid(uniqueString('${logicAppName}${principalId}${roleAssignment.roleDefinitionIdOrName}'))}' +resource roleAssigment 'Microsoft.Logic/workflows/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Logic/workflows/deploy.bicep b/arm/Microsoft.Logic/workflows/deploy.bicep index 9e65677d30..b704e0f1d6 100644 --- a/arm/Microsoft.Logic/workflows/deploy.bicep +++ b/arm/Microsoft.Logic/workflows/deploy.bicep @@ -192,18 +192,15 @@ resource logicApp_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017 scope: logicApp } -module logicApp_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module logicApp_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - logicAppName: logicAppName + resourceName: logicApp.name } - dependsOn: [ - logicApp - ] }] -output logicAppName string = logicAppName +output logicAppName string = logicApp.name output logicAppResourceGroup string = resourceGroup().name output logicAppResourceId string = logicApp.id diff --git a/arm/Microsoft.Logic/workflows/readme.md b/arm/Microsoft.Logic/workflows/readme.md index 9101d18539..a63117a3ea 100644 --- a/arm/Microsoft.Logic/workflows/readme.md +++ b/arm/Microsoft.Logic/workflows/readme.md @@ -8,7 +8,7 @@ This module deploys Logic App resource. | -------------------------------------------------------- | ------------------ | | `Microsoft.Logic/workflows`| 2019-05-01 | | `Microsoft.Logic/workflows/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.Logic/workflows/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Logic/workflows/providers/roleAssignments` | 2020-04-01-preview | | `Microsoft.Resources/deployments` | 2020-06-01 | | `providers/locks`| 2016-09-01 | diff --git a/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep index ed4b23cf99..9513118a8e 100644 --- a/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Network/applicationGateways/.bicep/nested_rbac.bicep @@ -8,5 +8,4 @@ resource roleAssignment 'Microsoft.Network/applicationGateways/providers/roleAss roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Network/applicationGateways/deploy.json b/arm/Microsoft.Network/applicationGateways/deploy.json deleted file mode 100644 index 7a73367b88..0000000000 --- a/arm/Microsoft.Network/applicationGateways/deploy.json +++ /dev/null @@ -1,885 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "applicationGatewayName": { - "type": "string", - "metadata": { - "description": "Required. The name to be used for the Application Gateway." - } - }, - "sku": { - "type": "string", - "allowedValues": [ - "Standard_Small", - "Standard_Medium", - "Standard_Large", - "WAF_Medium", - "WAF_Large", - "Standard_v2", - "WAF_v2" - ], - "defaultValue": "WAF_Medium", - "metadata": { - "description": "Optional. The name of the SKU for the Application Gateway." - } - }, - "capacity": { - "type": "int", - "defaultValue": 2, - "minValue": 1, - "maxValue": 10, - "metadata": { - "description": "Optional. The number of Application instances to be configured." - } - }, - "http2Enabled": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enables HTTP/2 support." - } - }, - "frontendPublicIpResourceId": { - "type": "string", - "metadata": { - "description": "Required. PublicIP Resource Id used in Public Frontend." - } - }, - "frontendPrivateIpAddress": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The private IP within the Application Gateway subnet to be used as frontend private address.", - "limitations": "The IP must be available in the configured subnet. If empty, allocation method will be set to dynamic. Once a method (static or dynamic) has been configured, it cannot be changed" - } - }, - "vNetName": { - "type": "string", - "metadata": { - "description": "Required. The name of the Virtual Network where the Application Gateway will be deployed." - } - }, - "subnetName": { - "type": "string", - "metadata": { - "description": "Required. The name of Gateway Subnet Name where the Application Gateway will be deployed." - } - }, - "vNetResourceGroup": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Optional. The name of the Virtual Network Resource Group where the Application Gateway will be deployed." - } - }, - "vNetSubscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Optional. The Subscription Id of the Virtual Network where the Application Gateway will be deployed." - } - }, - "managedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource Id of an User assigned managed identity which will be associated with the App Gateway." - } - }, - "gatewayIpConfigurationName": { - "type": "string", - "defaultValue": "gatewayIpConfiguration01", - "metadata": { - "description": "Optional. Application Gateway IP configuration name." - } - }, - "sslCertificateName": { - "type": "string", - "defaultValue": "sslCertificate01", - "metadata": { - "description": "Optional. SSL certificate reference name for a certificate stored in the Key Vault to configure the HTTPS listeners." - } - }, - "sslCertificateKeyVaultSecretId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Secret Id of the SSL certificate stored in the Key Vault that will be used to configure the HTTPS listeners." - } - }, - "backendPools": { - "type": "array", - "metadata": { - "description": "Required. The backend pools to be configured." - } - }, - "backendHttpConfigurations": { - "type": "array", - "metadata": { - "description": "Required. The backend HTTP settings to be configured. These HTTP settings will be used to rewrite the incoming HTTP requests for the backend pools." - } - }, - "probes": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. The backend HTTP settings probes to be configured." - } - }, - "frontendHttpListeners": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Required. The frontend http listeners to be configured." - } - }, - "frontendHttpsListeners": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Required. The frontend https listeners to be configured." - } - }, - "frontendHttpRedirects": { - "type": "array", - "defaultValue": [ - ], - "metadata": { - "description": "Optional. The http redirects to be configured. Each redirect will route http traffic to a pre-defined frontEnd https listener." - } - }, - "routingRules": { - "type": "array", - "metadata": { - "description": "Required. The routing rules to be configured. These rules will be used to route requests from frontend listeners to backend pools using a backend HTTP configuration." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all Resources." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Key Vault from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered." - } - } - }, - "variables": { - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogs": [ - { - "category": "ApplicationGatewayAccessLog", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "ApplicationGatewayPerformanceLog", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "ApplicationGatewayFirewallLog", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "applicationGatewayResourceId": "[resourceId('Microsoft.Network/applicationGateways', parameters('applicationGatewayName'))]", - "diagnosticSettingName": "[concat(parameters('applicationGatewayName'), '/','Microsoft.Insights/service')]", - "subnetResourceId": "[resourceId(parameters('vNetSubscriptionId'), parameters('vNetResourceGroup'), 'Microsoft.Network/virtualNetworks/subnets', parameters('vNetName'), parameters('subnetName'))]", - "frontendPublicIPConfigurationName": "public", - "frontendPrivateIPConfigurationName": "private", - "frontendPrivateIPDynamicConfiguration": { - "privateIPAllocationMethod": "Dynamic", - "subnet": { - "id": "[variables('subnetResourceId')]" - } - }, - "frontendPrivateIPStaticConfiguration": { - "privateIPAllocationMethod": "Static", - "privateIPAddress": "[parameters('frontendPrivateIPAddress')]", - "subnet": { - "id": "[variables('subnetResourceId')]" - } - }, - "backendPoolsCount": "[length(parameters('backendPools'))]", - "backendHttpConfigurationsCount": "[length(parameters('backendHttpConfigurations'))]", - "probesCount": "[length(parameters('probes'))]", - "frontendHttpListenersCount": "[length(parameters('frontendHttpListeners'))]", - "frontendHttpsListenersCount": "[length(parameters('frontendHttpsListeners'))]", - "frontendHttpRedirectsCount": "[length(parameters('frontendHttpRedirects'))]", - "frontendListenerhttpsCertificateObject": { - "Id": "[concat(variables('applicationGatewayResourceId'), '/sslCertificates/', parameters('sslCertificateName'))]" - }, - "routingRulesCount": "[length(parameters('routingRules'))]", - "redirectConfigurationsHttpRedirectNamePrefix": "httpRedirect", - "httpListenerhttpRedirectNamePrefix": "httpRedirect", - "requestRoutingRuleHttpRedirectNamePrefix": "httpRedirect", - "wafConfiguration": { - "enabled": true, - "firewallMode": "Detection", - "ruleSetType": "OWASP", - "ruleSetVersion": "3.0", - "disabledRuleGroups": [ - ], - "requestBodyCheck": true, - "maxRequestBodySizeInKb": "128" - }, - "sslCertificates": [ - { - "name": "[parameters('sslCertificateName')]", - "properties": { - "keyVaultSecretId": "[parameters('sslCertificateKeyVaultSecretId')]" - } - } - ], - "copy": [ - { - "name": "backendAddressPools", - "count": "[variables('backendPoolsCount')]", - "input": { - "name": "[parameters('backendPools')[copyIndex('backendAddressPools')].backendPoolName]", - "type": "Microsoft.Network/applicationGateways/backendAddressPools", - "properties": { - "backendAddresses": "[if(contains(parameters('backendPools')[copyIndex('backendAddressPools')], 'BackendAddresses'), parameters('backendPools')[copyIndex('backendAddressPools')].BackendAddresses, variables('emptyArray'))]" - } - } - }, - { - "name": "probes", - "count": "[variables('probesCount')]", - "input": { - "name": "[concat(parameters('probes')[copyIndex('probes')].backendHttpConfigurationName,'Probe')]", - "type": "Microsoft.Network/applicationGateways/probes", - "properties": { - "protocol": "[parameters('probes')[copyIndex('probes')].protocol]", - "host": "[parameters('probes')[copyIndex('probes')].host]", - "path": "[parameters('probes')[copyIndex('probes')].path]", - "interval": "[if(contains(parameters('probes')[copyIndex('probes')], 'interval'), parameters('probes')[copyIndex('probes')].interval, 30)]", - "timeout": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].timeout, 30)]", - "unhealthyThreshold": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].unhealthyThreshold, 3)]", - "minServers": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].minServers, 0)]", - "match": { - "body": "[if(contains(parameters('probes')[copyIndex('probes')], 'timeout'), parameters('probes')[copyIndex('probes')].body, '')]", - "statusCodes": "[parameters('probes')[copyIndex('probes')].statusCodes]" - } - } - } - }, - { - "name": "backendHttpConfigurations", - "count": "[variables('backendHttpConfigurationsCount')]", - "input": { - "name": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].backendHttpConfigurationName]", - "properties": { - "Port": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].port]", - "Protocol": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].protocol]", - "CookieBasedAffinity": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].cookieBasedAffinity]", - "pickHostNameFromBackendAddress": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].pickHostNameFromBackendAddress]", - "probeEnabled": "[parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].probeEnabled]", - "probe": "[if(bool(parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].probeEnabled), - createObject('id', concat(variables('applicationGatewayResourceId'), '/probes/', parameters('backendHttpConfigurations')[copyIndex('backendHttpConfigurations')].backendHttpConfigurationName, 'Probe')), - json('null') - )]" - } - } - }, - { - "name": "frontendHttpsPorts", - "count": "[if(equals(variables('frontendHttpsListenersCount'),0),1,variables('frontendHttpsListenersCount'))]", - "input": { - "name": "[if(equals(variables('frontendHttpsListenersCount'),0),'dummy',concat('port',parameters('frontendHttpsListeners')[copyIndex('frontendHttpsPorts')].port))]", - "properties": { - "Port": "[if(equals(variables('frontendHttpsListenersCount'),0),0,parameters('frontendHttpsListeners')[copyIndex('frontendHttpsPorts')].port)]" - } - } - }, - { - "name": "frontendHttpsListeners", - "count": "[variables('frontendHttpsListenersCount')]", - "input": { - "name": "[parameters('frontendHttpsListeners')[copyIndex('frontendHttpsListeners')].frontendListenerName]", - "properties": { - "FrontendIPConfiguration": { - "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendIPConfigurations/',parameters('frontendHttpsListeners')[copyIndex('frontendHttpsListeners')].frontendIPType)]" - }, - "FrontendPort": { - "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendPorts/',concat('port',parameters('frontendHttpsListeners')[copyIndex('frontendHttpsListeners')].port))]" - }, - "Protocol": "https", - "SslCertificate": "[variables('frontendListenerhttpsCertificateObject')]" - } - } - }, - { - "name": "frontendHttpPorts", - "count": "[if(equals(variables('frontendHttpListenersCount'),0),1,variables('frontendHttpListenersCount'))]", - "input": { - "name": "[if(equals(variables('frontendHttpListenersCount'),0),'dummy',concat('port',parameters('frontendHttpListeners')[copyIndex('frontendHttpPorts')].port))]", - "properties": { - "Port": "[if(equals(variables('frontendHttpListenersCount'),0),0,parameters('frontendHttpListeners')[copyIndex('frontendHttpPorts')].port)]" - } - } - }, - { - "name": "frontendHttpListeners", - "count": "[variables('frontendHttpListenersCount')]", - "input": { - "name": "[parameters('frontendHttpListeners')[copyIndex('frontendHttpListeners')].frontendListenerName]", - "properties": { - "FrontendIPConfiguration": { - "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendIPConfigurations/',parameters('frontendHttpListeners')[copyIndex('frontendHttpListeners')].frontendIPType)]" - }, - "FrontendPort": { - "Id": "[concat(variables('applicationGatewayResourceId'),'/frontendPorts/',concat('port',parameters('frontendHttpListeners')[copyIndex('frontendHttpListeners')].port))]" - }, - "Protocol": "http" - } - } - }, - { - "name": "httpsRequestRoutingRules", - "count": "[variables('routingRulesCount')]", - "input": { - "name": "[concat(parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].frontendListenerName,'-',concat(parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendHttpConfigurationName),'-',concat(parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendHttpConfigurationName))]", - "properties": { - "RuleType": "Basic", - "httpListener": { - "id": "[concat(variables('applicationGatewayResourceId'), '/httpListeners/', parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].frontendListenerName)]" - }, - "backendAddressPool": { - "id": "[concat(variables('applicationGatewayResourceId'), '/backendAddressPools/', parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendPoolName)]" - }, - "backendHttpSettings": { - "id": "[concat(variables('applicationGatewayResourceId'), '/backendHttpSettingsCollection/', parameters('routingRules')[copyIndex('httpsRequestRoutingRules')].backendHttpConfigurationName)]" - } - } - } - }, - { - "name": "frontendHttpRedirectPorts", - "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", - "input": { - "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat('port',parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirectPorts')].port))]", - "properties": { - "Port": "[if(equals(variables('frontendHttpRedirectsCount'),0),0,parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirectPorts')].port)]" - } - } - }, - { - "name": "frontendHttpRedirects", - "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", - "input": { - "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('httpListenerhttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirects')].port))]", - "properties": { - "FrontendIPConfiguration": { - "Id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'),'/frontendIPConfigurations/',parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirects')].frontendIPType))]" - }, - "FrontendPort": { - "Id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'),'/frontendPorts/',concat('port',parameters('frontendHttpRedirects')[copyIndex('frontendHttpRedirects')].port)))]" - }, - "Protocol": "http" - } - } - }, - { - "name": "httpRequestRoutingRules", - "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", - "input": { - "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('requestRoutingRuleHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].port,'-',parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].frontendListenerName))]", - "properties": { - "RuleType": "Basic", - "httpListener": { - "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'), '/httpListeners/', concat(variables('httpListenerhttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].port)))]" - }, - "redirectConfiguration": { - "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('applicationGatewayResourceId'), '/redirectConfigurations/', concat(variables('redirectConfigurationsHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRequestRoutingRules')].port)))]" - } - } - } - }, - { - "name": "httpRedirectConfigurations", - "count": "[if(equals(variables('frontendHttpRedirectsCount'),0),1,variables('frontendHttpRedirectsCount'))]", - "input": { - "name": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('redirectConfigurationsHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].port))]", - "properties": { - "redirectType": "Permanent", - "includePath": true, - "includeQueryString": true, - "requestRoutingRules": [ - { - "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('ApplicationGatewayResourceID'), '/requestRoutingRules/', concat(variables('requestRoutingRuleHttpRedirectNamePrefix'),parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].port,'-',parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].frontendListenerName)))]" - } - ], - "targetListener": { - "id": "[if(equals(variables('frontendHttpRedirectsCount'),0),'dummy',concat(variables('ApplicationGatewayResourceID'), '/httpListeners/', parameters('frontendHttpRedirects')[copyIndex('httpRedirectConfigurations')].frontendListenerName))]" - } - } - } - } - ], - "emptyArray": [ - ], - "frontendPorts": "[concat(if(empty(parameters('frontendHttpListeners')),variables('emptyArray'),variables('frontendHttpPorts')),if(empty(parameters('frontendHttpsListeners')),variables('emptyArray'),variables('frontendHttpsPorts')),if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('frontendHttpRedirectPorts')))]", - "httpListeners": "[concat(if(empty(parameters('frontendHttpListeners')),variables('emptyArray'),variables('frontendHttpListeners')),if(empty(parameters('frontendHttpsListeners')),variables('emptyArray'),variables('frontendHttpsListeners')),if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('frontendHttpRedirects')))]", - "redirectConfigurations": "[if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('httpRedirectConfigurations'))]", - "requestRoutingRules": "[concat(variables('httpsRequestRoutingRules'),if(empty(parameters('frontendHttpRedirects')),variables('emptyArray'),variables('httpRequestRoutingRules')))]", - "identity": { - "type": "UserAssigned", - "userAssignedIdentities": { - "[parameters('managedIdentityResourceId')]": {} - } - }, - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.Network/applicationGateways", - "name": "[parameters('applicationGatewayName')]", - "apiVersion": "2021-02-01", - "location": "[parameters('location')]", - "identity": "[if(empty(parameters('managedIdentityResourceId')), json('null'), variables('identity'))]", - "tags": "[parameters('tags')]", - "dependsOn": [ - ], - "properties": { - "sku": { - "name": "[parameters('sku')]", - "tier": "[if(endsWith(parameters('sku'),'v2'),parameters('sku'),substring(parameters('sku'),0,indexOf(parameters('sku'),'_')))]", - "capacity": "[parameters('capacity')]" - }, - "gatewayIPConfigurations": [ - { - "name": "[parameters('gatewayIpConfigurationName')]", - "properties": { - "subnet": { - "id": "[variables('subnetResourceId')]" - } - } - } - ], - "frontendIPConfigurations": [ - { - "name": "[variables('frontendPrivateIPConfigurationName')]", - "type": "Microsoft.Network/applicationGateways/frontendIPConfigurations", - "properties": "[if(empty(parameters('frontendPrivateIPAddress')),variables('frontendPrivateIPDynamicConfiguration'),variables('frontendPrivateIPStaticConfiguration'))]" - }, - { - "name": "[variables('frontendPublicIPConfigurationName')]", - "properties": { - "PublicIPAddress": { - "id": "[parameters('frontendPublicIpResourceId')]" - } - } - } - ], - "sslCertificates": "[if(empty(parameters('sslCertificateKeyVaultSecretId')), json('null'), variables('sslCertificates'))]", - "backendAddressPools": "[variables('backendAddressPools')]", - "probes": "[variables('probes')]", - "backendHttpSettingsCollection": "[variables('backendHttpConfigurations')]", - "frontendPorts": "[variables('frontendPorts')]", - "httpListeners": "[variables('httpListeners')]", - "redirectConfigurations": "[variables('redirectConfigurations')]", - "requestRoutingRules": "[variables('requestRoutingRules')]", - "enableHttp2": "[parameters('http2Enabled')]", - "webApplicationFirewallConfiguration": "[if(startsWith(parameters('sku'),'WAF'), variables('wafConfiguration'),json('null'))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/appGatewaysDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/applicationGateways/', parameters('applicationGatewayName'))]" - ], - "comments": "Resource lock on Application Gateway", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "name": "[variables('diagnosticSettingName')]", - "dependsOn": [ - "[variables('applicationGatewayResourceId')]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('applicationGatewayName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "applicationGatewayName": { - "value": "[parameters('applicationGatewayName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "applicationGatewayName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/applicationGateways/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('applicationGatewayName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('applicationGatewayName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "applicationGatewayName": { - "type": "string", - "value": "[parameters('applicationGatewayName')]", - "metadata": { - "description": "The Application Gateway Name" - } - }, - "applicationGatewayResourceId": { - "type": "string", - "value": "[variables('applicationGatewayResourceId')]", - "metadata": { - "description": "The Resource Id of the Application Gateway" - } - }, - "applicationGatewayResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group with the Application Gateway" - } - } - } -} diff --git a/arm/Microsoft.Network/applicationGateways/readme.md b/arm/Microsoft.Network/applicationGateways/readme.md index 581aac8020df91c282eb30b6accf1afa0c45eb39..477222e9e788fb9e14bcafc37cf3df02a0159d9f 100644 GIT binary patch delta 47 zcmV+~0MP%k-~yE30iAk`4p@<=$p^PDuA%!6o$S&UO$a;Ad0C?9A A7XSbN diff --git a/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep b/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep index d0c5f92ffd..03a12794dd 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep +++ b/arm/Microsoft.Network/applicationSecurityGroups/deploy.bicep @@ -66,9 +66,6 @@ module applicationSecurityGroup_rbac './.bicep/nested_rbac.bicep' = [for (roleAs builtInRoleNames: builtInRoleNames resourceName: applicationSecurityGroup.name } - dependsOn: [ - applicationSecurityGroup - ] }] output applicationSecurityGroupsResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/applicationSecurityGroups/deploy.json b/arm/Microsoft.Network/applicationSecurityGroups/deploy.json deleted file mode 100644 index f71345750b..0000000000 --- a/arm/Microsoft.Network/applicationSecurityGroups/deploy.json +++ /dev/null @@ -1,354 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "applicationSecurityGroupName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Application Security Group." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Virtual Network from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.Network/applicationSecurityGroups", - "apiVersion": "2021-02-01", - "name": "[parameters('applicationSecurityGroupName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/applicationSecurityGroupDoNotDelete", - "dependsOn": [ - "[resourceId('Microsoft.Network/applicationSecurityGroups/', parameters('applicationSecurityGroupName'))]" - ], - "comments": "Resource lock on Application Security Group", - "properties": { - "level": "CannotDelete" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('applicationSecurityGroupName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "applicationSecurityGroupName": { - "value": "[parameters('applicationSecurityGroupName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "applicationSecurityGroupName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/applicationSecurityGroups/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('applicationSecurityGroupName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('applicationSecurityGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "applicationSecurityGroupsResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the Application Security Groups were created in." - } - }, - "applicationSecurityGroupsResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('applicationSecurityGroupName'))]", - "metadata": { - "description": "The Resource Ids of the Application Security Group deployed." - } - }, - "applicationSecurityGroupsName": { - "type": "string", - "value": "[parameters('applicationSecurityGroupName')]", - "metadata": { - "description": "The Name of the Application Security Group deployed." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Network/applicationSecurityGroups/readme.md b/arm/Microsoft.Network/applicationSecurityGroups/readme.md index 5b6b501f44..ce93935fe7 100644 --- a/arm/Microsoft.Network/applicationSecurityGroups/readme.md +++ b/arm/Microsoft.Network/applicationSecurityGroups/readme.md @@ -9,7 +9,7 @@ This module deploys Application Security Groups. |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| |`Microsoft.Network/applicationSecurityGroups`|2021-02-01| -|`providers/locks`|2016-09-01| +|`Microsoft.Authorization/locks`|2016-09-01| |`Microsoft.Network/applicationSecurityGroups/providers/roleAssignments`|2018-09-01-preview| ## Parameters diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..c6975a5461 --- /dev/null +++ b/arm/Microsoft.Network/azureFirewalls/.bicep/nested_rbac.bicep @@ -0,0 +1,12 @@ +param roleAssignmentObj object +param builtInRoleNames object +param resourceName string + +resource roleAssignment 'Microsoft.Network/azureFirewalls/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) + principalId: principalId + } + dependsOn: [] +}] diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.bicep b/arm/Microsoft.Network/azureFirewalls/deploy.bicep new file mode 100644 index 0000000000..8cbe54631f --- /dev/null +++ b/arm/Microsoft.Network/azureFirewalls/deploy.bicep @@ -0,0 +1,281 @@ +@description('Required. Name of the Azure Firewall.') +param azureFirewallName string + +@description('Optional. Name of an Azure Firewall SKU.') +@allowed([ + 'AZFW_VNet' + 'AZFW_Hub' +]) +param azureSkuName string = 'AZFW_VNet' + +@description('Optional. Tier of an Azure Firewall.') +@allowed([ + 'Standard' + 'Premium' +]) +param azureSkuTier string = 'Standard' + +@description('Optional. Enable the preview feature for DNS proxy.') +param enableDnsProxy bool = false + +@description('Optional. Collection of application rule collections used by Azure Firewall.') +param applicationRuleCollections array = [] + +@description('Optional. Collection of network rule collections used by Azure Firewall.') +param networkRuleCollections array = [] + +@description('Optional. Collection of NAT rule collections used by Azure Firewall.') +param natRuleCollections array = [] + +@description('Required. Shared services Virtual Network resource Id') +param vNetId string + +@description('Optional. Specifies the name of the Public IP used by Azure Firewall. If it\'s not provided, a \'-pip\' suffix will be appended to the Firewall\'s name.') +param azureFirewallPipName string = '' + +@description('Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') +param publicIPPrefixId string = '' + +@description('Optional. Diagnostic Storage Account resource identifier') +param diagnosticStorageAccountId string = '' + +@description('Optional. Log Analytics workspace resource identifier') +param workspaceId string = '' + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Zone numbers e.g. 1,2,3.') +param availabilityZones array = [ + '1' + '2' + '3' +] + +@description('Optional. Switch to lock the Firewall from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the Automation Account resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var publicIPPrefix = { + id: publicIPPrefixId +} +var azureFirewallSubnetId = '${vNetId}/subnets/AzureFirewallSubnet' +var azureFirewallPipName_var = (empty(azureFirewallPipName) ? '${azureFirewallName}-pip' : azureFirewallPipName) +var azureFirewallPipId = azureFirewallPip.id +var diagnosticsMetrics = [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var diagnosticsLogsAzureFirewall = [ + { + category: 'AzureFirewallApplicationRule' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } + { + category: 'AzureFirewallNetworkRule' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } + { + category: 'AzureFirewallDnsProxy' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var diagnosticsLogsPublicIp = [ + { + category: 'DDoSProtectionNotifications' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } + { + category: 'DDoSMitigationFlowLogs' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } + { + category: 'DDoSMitigationReports' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a7b1b19a-0e83-4fe5-935c-faaefbfd18c3') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21d96096-b162-414a-8302-d8354f9d91b2') + 'CAL-Custom-Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','7b266cd7-0bba-4ae2-8423-90ede5e1e898') + 'ExpressRoute Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a48d7896-14b4-4889-afef-fbb65a96e5a2') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a48d7796-14b4-4889-afef-fbb65a93e5a2') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource azureFirewallPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = { + name: azureFirewallPipName_var + location: location + tags: tags + sku: { + name: 'Standard' + } + zones: availabilityZones + properties: { + publicIPAllocationMethod: 'Static' + publicIPAddressVersion: 'IPv4' + publicIPPrefix: ((!empty(publicIPPrefixId)) ? publicIPPrefix : json('null')) + } +} + +resource azureFirewallPip_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${azureFirewallPip.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: azureFirewallPip +} + +resource azureFirewallPip_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${azureFirewallPip.name}-diagnosticSettings' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogsPublicIp) + } + scope: azureFirewallPip +} + +resource azureFirewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { + name: azureFirewallName + location: location + zones: ((length(availabilityZones) == 0) ? json('null') : availabilityZones) + tags: tags + properties: { + threatIntelMode: 'Deny' + ipConfigurations: [ + { + name: 'IpConf' + properties: { + subnet: { + id: azureFirewallSubnetId + } + publicIPAddress: { + id: azureFirewallPipId + } + } + } + ] + sku: { + name: azureSkuName + tier: azureSkuTier + } + additionalProperties: { + 'Network.DNS.EnableProxy': string(enableDnsProxy) + } + applicationRuleCollections: applicationRuleCollections + natRuleCollections: natRuleCollections + networkRuleCollections: networkRuleCollections + } +} + +resource azureFirewall_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${azureFirewall.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: azureFirewall +} + +resource azureFirewall_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${azureFirewall.name}-diagnosticSettings' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogsAzureFirewall) + } + scope: azureFirewall +} + +module rbac_name './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' + params: { + roleAssignmentObj: roleAssignment + builtInRoleNames: builtInRoleNames + resourceName: azureFirewall.name + } +}] + +output azureFirewallResourceId string = azureFirewall.id +output azureFirewallName string = azureFirewall.name +output azureFirewallResourceGroup string = resourceGroup().name +output azureFirewallPrivateIp string = azureFirewall.properties.ipConfigurations[0].properties.privateIPAddress +output azureFirewallPublicIp string = azureFirewallPip.properties.ipAddress +output applicationRuleCollections array = applicationRuleCollections +output networkRuleCollections array = networkRuleCollections +output natRuleCollections array = natRuleCollections diff --git a/arm/Microsoft.Network/azureFirewalls/deploy.json b/arm/Microsoft.Network/azureFirewalls/deploy.json deleted file mode 100644 index 7a6715dff1..0000000000 --- a/arm/Microsoft.Network/azureFirewalls/deploy.json +++ /dev/null @@ -1,664 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "azureFirewallName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Firewall." - } - }, - "azureSkuName": { - "type": "string", - "defaultValue": "AZFW_VNet", - "allowedValues": [ "AZFW_VNet", "AZFW_Hub" ], - "metadata": { - "description": "Optional. Name of an Azure Firewall SKU." - } - }, - "azureSkuTier": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ "Standard", "Premium" ], - "metadata": { - "description": "Optional. Tier of an Azure Firewall." - } - }, - "enableDnsProxy": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Enable the preview feature for DNS proxy." - } - }, - "applicationRuleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of application rule collections used by Azure Firewall." - } - }, - "networkRuleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of network rule collections used by Azure Firewall." - } - }, - "natRuleCollections": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Collection of NAT rule collections used by Azure Firewall." - } - }, - "vNetId": { - "type": "string", - "metadata": { - "description": "Required. Shared services Virtual Network resource Id" - } - }, - "azureFirewallPipName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the name of the Public IP used by Azure Firewall. If it's not provided, a '-pip' suffix will be appended to the Firewall's name." - } - }, - "publicIPPrefixId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Diagnostic Storage Account resource identifier" - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Log Analytics workspace resource identifier" - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "availabilityZones": { - "type": "array", - "defaultValue": [ - "1", - "2", - "3" - ], - "metadata": { - "description": "Optional. Zone numbers e.g. 1,2,3." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock the Firewall from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the Automation Account resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "publicIPPrefix": { - "id": "[parameters('publicIPPrefixId')]" - }, - "azureFirewallSubnetId": "[concat(parameters('vNetId'), '/subnets/AzureFirewallSubnet')]", - "azureFirewallPipName": "[if( empty(parameters('azureFirewallPipName')), concat(parameters('azureFirewallName'), '-pip'), parameters('azureFirewallPipName'))]", - "azureFirewallPipId": "[resourceId('Microsoft.Network/publicIPAddresses', variables('azureFirewallPipName'))]", - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogsAzureFirewall": [ - { - "category": "AzureFirewallApplicationRule", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "AzureFirewallNetworkRule", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "AzureFirewallDnsProxy", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogsPublicIp": [ - { - "category": "DDoSProtectionNotifications", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "DDoSMitigationFlowLogs", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "DDoSMitigationReports", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "name": "[variables('azureFirewallPipName')]", - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "Standard" - }, - "zones": "[parameters('availabilityZones')]", - "properties": { - "publicIPAllocationMethod": "Static", - "publicIPAddressVersion": "IPv4", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixId'))), variables('publicIPPrefix'), json('null'))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/publicIpDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/', variables('azureFirewallPipName'))]" - ], - "comments": "Resource lock on Public IP", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "location": "[parameters('location')]", - "name": "[concat(variables('azureFirewallPipName'), '/Microsoft.Insights/service')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/', variables('azureFirewallPipName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogsPublicIp'))]" - } - } - ] - }, - { - "type": "Microsoft.Network/azureFirewalls", - "apiVersion": "2021-02-01", - "name": "[parameters('azureFirewallName')]", - "location": "[parameters('location')]", - "zones": "[if(equals(length(parameters('availabilityZones')), 0), json('null'), parameters('availabilityZones'))]", - "dependsOn": [ - "[resourceId('Microsoft.Network/publicIPAddresses', variables('azureFirewallPipName'))]" - ], - "tags": "[parameters('tags')]", - "properties": { - "threatIntelMode": "Deny", - "ipConfigurations": [ - { - "name": "IpConf", - "properties": { - "subnet": { - "id": "[variables('azureFirewallSubnetId')]" - }, - "publicIPAddress": { - "id": "[variables('azureFirewallPipId')]" - } - } - } - ], - "sku": { - "name": "[parameters('azureSkuName')]", - "tier": "[parameters('azureSkuTier')]" - }, - "additionalProperties": { - "Network.DNS.EnableProxy": "[parameters('enableDnsProxy')]" - }, - "applicationRuleCollections": "[parameters('applicationRuleCollections')]", - "natRuleCollections": "[parameters('natRuleCollections')]", - "networkRuleCollections": "[parameters('networkRuleCollections')]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/azureFirewallDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/azureFirewalls/', parameters('azureFirewallName'))]" - ], - "comments": "Resource lock on Azure Firewall", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Network/azureFirewalls/providers/diagnosticsettings", - "name": "[concat(parameters('azureFirewallName'), '/Microsoft.Insights/service')]", - "apiVersion": "2016-09-01", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Network/azureFirewalls/', parameters('azureFirewallName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogsAzureFirewall'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('azureFirewallName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "azureFirewallName": { - "value": "[parameters('azureFirewallName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "azureFirewallName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/azureFirewalls/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('azureFirewallName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('azureFirewallName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "azureFirewallResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewallName'))]", - "metadata": { - "description": "The Resource Id of the Azure Firewall." - } - }, - "azureFirewallName": { - "type": "string", - "value": "[parameters('azureFirewallName')]", - "metadata": { - "description": "The Name of the Azure Firewall." - } - }, - "azureFirewallResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the Azure Firewall was created in." - } - }, - "azureFirewallPrivateIp": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('azureFirewallName'))).ipConfigurations[0].properties.privateIPAddress]", - "metadata": { - "description": "The private IP of the Azure Firewall." - } - }, - "azureFirewallPublicIp": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', variables('azureFirewallPipName'))).ipAddress]", - "metadata": { - "description": "The public IP of the Azure Firewall." - } - }, - "applicationRuleCollections": { - "type": "array", - "value": "[parameters('applicationRuleCollections')]", - "metadata": { - "description": "List of Application Rule Collections." - } - }, - "networkRuleCollections": { - "type": "array", - "value": "[parameters('networkRuleCollections')]", - "metadata": { - "description": "List of Network Rule Collections." - } - }, - "natRuleCollections": { - "type": "array", - "value": "[parameters('natRuleCollections')]", - "metadata": { - "description": "Collection of NAT rule collections used by Azure Firewall." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Network/azureFirewalls/readme.md b/arm/Microsoft.Network/azureFirewalls/readme.md index 844387efd4..c2bae41731 100644 --- a/arm/Microsoft.Network/azureFirewalls/readme.md +++ b/arm/Microsoft.Network/azureFirewalls/readme.md @@ -7,12 +7,11 @@ This module deploys Azure Firewall. |Resource Type|Api Version| |:--|:--| |`Microsoft.Network/publicIPAddresses`|2021-02-01| -|`Microsoft.Network/publicIPAddresses/providers/diagnosticSettings`|2017-05-01-preview| |`Microsoft.Network/azureFirewalls`|2021-02-01| |`Microsoft.Resources/deployments`|2019-10-01| -|`Microsoft.Network/azureFirewalls/providers/diagnosticsettings`|2016-09-01| +|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| |`Microsoft.Network/azureFirewalls/providers/roleAssignments`|2018-09-01-preview| -| `providers/locks` | 2016-09-01 | +|`Microsoft.Authorization/locks`|2016-09-01| ## Parameters diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..b5fe01f7ed --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/.bicep/nested_rbac.bicep @@ -0,0 +1,12 @@ +param roleAssignmentObj object +param builtInRoleNames object +param resourceName string + +resource roleAssignment 'Microsoft.Network/bastionHosts/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) + principalId: principalId + } + dependsOn: [] +}] diff --git a/arm/Microsoft.Network/bastionHosts/deploy.bicep b/arm/Microsoft.Network/bastionHosts/deploy.bicep new file mode 100644 index 0000000000..9e8c6f2dae --- /dev/null +++ b/arm/Microsoft.Network/bastionHosts/deploy.bicep @@ -0,0 +1,213 @@ +@description('Required. Name of the Azure Bastion resource') +param azureBastionName string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Required. Shared services Virtual Network resource identifier') +param vNetId string + +@description('Optional. Specifies the name of the Public IP used by Azure Bastion. If it\'s not provided, a \'-pip\' suffix will be appended to the Bastion\'s name.') +param azureBastionPipName string = '' + +@description('Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix.') +param publicIPPrefixId string = '' + +@description('Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com') +param domainNameLabel string = '' + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource identifier of the Diagnostic Storage Account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource identifier of Log Analytics.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. Switch to lock Key Vault from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var publicIPPrefix = { + id: publicIPPrefixId +} +var diagnosticsMetrics = [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var publicIpDiagnosticsLogs = [ + { + category: 'DDoSProtectionNotifications' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } + { + category: 'DDoSMitigationFlowLogs' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } + { + category: 'DDoSMitigationReports' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var azureBastionDiagnosticsLogs = [ + { + category: 'BastionAuditLogs' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Cluster Create': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a7b1b19a-0e83-4fe5-935c-faaefbfd18c3') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Azure Service Deploy Release Management Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','21d96096-b162-414a-8302-d8354f9d91b2') + 'CAL-Custom-Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','7b266cd7-0bba-4ae2-8423-90ede5e1e898') + 'ExpressRoute Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a48d7896-14b4-4889-afef-fbb65a96e5a2') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'masterreader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','a48d7796-14b4-4889-afef-fbb65a93e5a2') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource azureBastionPip 'Microsoft.Network/publicIPAddresses@2021-02-01' = { + name: (empty(azureBastionPipName) ? '${azureBastionName}-pip' : azureBastionPipName) + location: location + tags: tags + sku: { + name: 'Standard' + } + properties: { + publicIPAllocationMethod: 'Static' + publicIPPrefix: ((!empty(publicIPPrefixId)) ? publicIPPrefix : json('null')) + dnsSettings: ((!empty(domainNameLabel)) ? json('{"domainNameLabel": "${domainNameLabel}"}') : json('null')) + } +} + +resource azureBastionPip_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${azureBastionPip.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: azureBastionPip +} + +resource azureBastionPip_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${azureBastionPip.name}-diagnosticSettings' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : publicIpDiagnosticsLogs) + } + scope: azureBastionPip +} + +resource azureBastion 'Microsoft.Network/bastionHosts@2021-02-01' = { + name: azureBastionName + location: location + tags: tags + properties: { + ipConfigurations: [ + { + name: 'IpConf' + properties: { + subnet: { + id: '${vNetId}/subnets/AzureBastionSubnet' + } + publicIPAddress: { + id: azureBastionPip.id + } + } + } + ] + } +} + +resource azureBastion_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${azureBastion.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: azureBastion +} + +resource azureBastion_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${azureBastion.name}-diagnosticSettings' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : azureBastionDiagnosticsLogs) + } + scope: azureBastion +} + +module azureBastion_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' + params: { + roleAssignmentObj: roleAssignment + builtInRoleNames: builtInRoleNames + resourceName: azureBastion.name + } +}] + +output azureBastionResourceGroup string = resourceGroup().name +output azureBastionName string = azureBastion.name +output azureBastionResourceId string = azureBastion.id diff --git a/arm/Microsoft.Network/bastionHosts/deploy.json b/arm/Microsoft.Network/bastionHosts/deploy.json deleted file mode 100644 index 40cbacfafb..0000000000 --- a/arm/Microsoft.Network/bastionHosts/deploy.json +++ /dev/null @@ -1,550 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "azureBastionName": { - "type": "string", - "metadata": { - "description": "Required. Name of the Azure Bastion resource" - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "vNetId": { - "type": "string", - "metadata": { - "description": "Required. Shared services Virtual Network resource identifier" - } - }, - "azureBastionPipName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specifies the name of the Public IP used by Azure Bastion. If it's not provided, a '-pip' suffix will be appended to the Bastion's name." - } - }, - "publicIPPrefixId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource Id of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." - } - }, - "domainNameLabel": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. DNS name of the Public IP resource. A region specific suffix will be appended to it, e.g.: your-DNS-name.westeurope.cloudapp.azure.com" - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock Key Vault from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "azureBastionPipName": "[if( empty(parameters('azureBastionPipName')), concat(parameters('azureBastionName'), '-pip'), parameters('azureBastionPipName'))]", - "publicIPPrefix": { - "id": "[parameters('publicIPPrefixId')]" - }, - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "publicIpDiagnosticsLogs": [ - { - "category": "DDoSProtectionNotifications", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "DDoSMitigationFlowLogs", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - }, - { - "category": "DDoSMitigationReports", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "azureBastionDiagnosticsLogs": [ - { - "category": "BastionAuditLogs", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.Network/publicIPAddresses", - "apiVersion": "2021-02-01", - "name": "[variables('azureBastionPipName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "Standard" - }, - "properties": { - "publicIPAllocationMethod": "Static", - "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixId'))), variables('publicIPPrefix'), json('null'))]", - "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), json(concat('{\"domainNameLabel\": \"', parameters('domainNameLabel'), '\"}')), json('null'))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/publicIpDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/', variables('azureBastionPipName'))]" - ], - "comments": "Resource lock on Public IP", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "location": "[parameters('location')]", - "name": "[concat(variables('azureBastionPipName'), '/Microsoft.Insights/service')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/', variables('azureBastionPipName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('publicIpDiagnosticsLogs'))]" - } - } - ] - }, - { - "type": "Microsoft.Network/bastionHosts", - "name": "[parameters('azureBastionName')]", - "apiVersion": "2021-02-01", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "[concat('Microsoft.Network/publicIPAddresses/', variables('azureBastionPipName'))]" - ], - "properties": { - "ipConfigurations": [ - { - "name": "IpConf", - "properties": { - "subnet": { - "id": "[concat(parameters('vNetId'), '/subnets/AzureBastionSubnet')]" - }, - "publicIPAddress": { - "id": "[resourceId('Microsoft.Network/publicIPAddresses', concat(variables('azureBastionPipName')))]" - } - } - } - ] - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/azureBastionDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/bastionHosts/', parameters('azureBastionName'))]" - ], - "comments": "Resource lock on Azure Bastion", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Network/bastionHosts/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "location": "[parameters('location')]", - "name": "[concat(parameters('azureBastionName'), '/Microsoft.Insights/service')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Network/bastionHosts/', parameters('azureBastionName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('azureBastionDiagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('azureBastionName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "azureBastionName": { - "value": "[parameters('azureBastionName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "azureBastionName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/bastionHosts/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('azureBastionName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('azureBastionName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "azureBastionResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The Resource Group the Azure Bastion was deployed." - } - }, - "azureBastionName": { - "type": "string", - "value": "[parameters('azureBastionName')]", - "metadata": { - "description": "The Name of the Azure Bastion." - } - }, - "azureBastionResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/bastionHosts', parameters('azureBastionName'))]", - "metadata": { - "description": "The Resource Id of the Azure Bastion." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Network/bastionHosts/readme.md b/arm/Microsoft.Network/bastionHosts/readme.md index f9e120916e..9d035eaa73 100644 --- a/arm/Microsoft.Network/bastionHosts/readme.md +++ b/arm/Microsoft.Network/bastionHosts/readme.md @@ -9,9 +9,8 @@ This module deploys an Azure Bastion. |`Microsoft.Resources/deployments`|2018-02-01| |`Microsoft.Network/publicIPAddresses`|2021-02-01| |`Microsoft.Network/bastionHosts`|2021-02-01| -|`providers/locks`|2016-09-01| -|`Microsoft.Network/publicIPAddresses/providers/diagnosticSettings`|2017-05-01-preview| -|`Microsoft.Network/bastionHosts/providers/diagnosticSettings`|2017-05-01-preview| +|`Microsoft.Authorization/locks`|2016-09-01| +|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| |`Microsoft.Network/bastionHosts/providers/roleAssignments` |2018-09-01-preview| ## Parameters diff --git a/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..2958920971 --- /dev/null +++ b/arm/Microsoft.Network/expressRouteCircuits/.bicep/nested_rbac.bicep @@ -0,0 +1,11 @@ +param roleAssignmentObj object +param builtInRoleNames object +param resourceName string + +resource roleAssigment 'Microsoft.Network/expressRouteCircuits/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) + principalId: principalId + } +}] diff --git a/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep b/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep new file mode 100644 index 0000000000..69f0d2fe67 --- /dev/null +++ b/arm/Microsoft.Network/expressRouteCircuits/deploy.bicep @@ -0,0 +1,197 @@ +@description('Required. This is the name of the ExpressRoute circuit') +param circuitName string + +@description('Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call.') +param serviceProviderName string + +@description('Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call.') +param peeringLocation string + +@description('Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call.') +param bandwidthInMbps int + +@description('Required. Chosen SKU Tier of ExpressRoute circuit. Choose from Premium or Standard SKU tiers.') +@allowed([ + 'Standard' + 'Premium' +]) +param skuTier string = 'Standard' + +@description('Required. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families.') +@allowed([ + 'MeteredData' + 'UnlimitedData' +]) +param skuFamily string = 'MeteredData' + +@description('Optional. Enabled BGP peering type for the Circuit.') +@allowed([ + true + false +]) +param peering bool = false + +@description('Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering.') +@allowed([ + 'AzurePrivatePeering' + 'MicrosoftPeering' +]) +param peeringType string = 'AzurePrivatePeering' + +@description('Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required.') +param sharedKey string = '' + +@description('Optional. The autonomous system number of the customer/connectivity provider.') +param peerASN int = 0 + +@description('Optional. A /30 subnet used to configure IP addresses for interfaces on Link1.') +param primaryPeerAddressPrefix string = '' + +@description('Optional. A /30 subnet used to configure IP addresses for interfaces on Link2.') +param secondaryPeerAddressPrefix string = '' + +@description('Optional. Specifies the identifier that is used to identify the customer.') +param vlanId int = 0 + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource identifier of the Diagnostic Storage Account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource identifier of Log Analytics.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. Switch to lock ExpressRoute Circuit from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var diagnosticsMetrics = [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var diagnosticsLogs = [ + { + category: 'PeeringRouteLog' + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var peeringConfiguration = [ + { + name: peeringType + properties: { + peeringType: peeringType + sharedKey: sharedKey + peerASN: peerASN + primaryPeerAddressPrefix: primaryPeerAddressPrefix + secondaryPeerAddressPrefix: secondaryPeerAddressPrefix + vlanId: vlanId + } + } +] +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource expressRouteCircuits 'Microsoft.Network/expressRouteCircuits@2021-02-01' = { + name: circuitName + location: location + tags: tags + sku: { + name: '${skuTier}_${skuFamily}' + tier: skuTier + family: skuFamily + } + properties: { + serviceProviderProperties: { + serviceProviderName: serviceProviderName + peeringLocation: peeringLocation + bandwidthInMbps: bandwidthInMbps + } + peerings: (peering ? peeringConfiguration : json('null')) + } +} + +resource expressRouteCircuits_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${expressRouteCircuits.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: expressRouteCircuits +} + +resource expressRouteCircuits_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${expressRouteCircuits.name}-diagnosticSettings' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + logs: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsLogs) + } + scope: expressRouteCircuits +} + +module expressRouteCircuits_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' + params: { + roleAssignmentObj: roleAssignment + builtInRoleNames: builtInRoleNames + resourceName: expressRouteCircuits.name + } +}] + +output expressRouteCircuitResourceId string = expressRouteCircuits.id +output expressRouteCircuitResourceGroup string = resourceGroup().name +output expressRouteCircuitName string = expressRouteCircuits.name +output expressRouteCircuitServiceKey string = reference(expressRouteCircuits.id, '2020-05-01').serviceKey diff --git a/arm/Microsoft.Network/expressRouteCircuits/deploy.json b/arm/Microsoft.Network/expressRouteCircuits/deploy.json deleted file mode 100644 index c207f9c0b8..0000000000 --- a/arm/Microsoft.Network/expressRouteCircuits/deploy.json +++ /dev/null @@ -1,558 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "circuitName": { - "type": "string", - "metadata": { - "description": "Required. This is the name of the ExpressRoute circuit" - } - }, - "serviceProviderName": { - "type": "string", - "metadata": { - "description": "Required. This is the name of the ExpressRoute Service Provider. It must exactly match one of the Service Providers from List ExpressRoute Service Providers API call." - } - }, - "peeringLocation": { - "type": "string", - "metadata": { - "description": "Required. This is the name of the peering location and not the ARM resource location. It must exactly match one of the available peering locations from List ExpressRoute Service Providers API call." - } - }, - "bandwidthInMbps": { - "type": "int", - "metadata": { - "description": "Required. This is the bandwidth in Mbps of the circuit being created. It must exactly match one of the available bandwidth offers List ExpressRoute Service Providers API call." - } - }, - "skuTier": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": [ - "Standard", - "Premium" - ], - "metadata": { - "description": "Required. Chosen SKU Tier of ExpressRoute circuit. Choose from Premium or Standard SKU tiers." - } - }, - "skuFamily": { - "type": "string", - "defaultValue": "MeteredData", - "allowedValues": [ - "MeteredData", - "UnlimitedData" - ], - "metadata": { - "description": "Required. Chosen SKU family of ExpressRoute circuit. Choose from MeteredData or UnlimitedData SKU families." - } - }, - "peering": { - "type": "bool", - "defaultValue": false, - "allowedValues": [ - true, - false - ], - "metadata": { - "description": "Optional. Enabled BGP peering type for the Circuit." - } - }, - "peeringType": { - "type": "string", - "defaultValue": "AzurePrivatePeering", - "allowedValues": [ - "AzurePrivatePeering", - "MicrosoftPeering" - ], - "metadata": { - "description": "Optional. BGP peering type for the Circuit. Choose from AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering." - } - }, - "sharedKey": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The shared key for peering configuration. Router does MD5 hash comparison to validate the packets sent by BGP connection. This parameter is optional and can be removed from peering configuration if not required." - } - }, - "peerASN": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. The autonomous system number of the customer/connectivity provider." - } - }, - "primaryPeerAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A /30 subnet used to configure IP addresses for interfaces on Link1." - } - }, - "secondaryPeerAddressPrefix": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. A /30 subnet used to configure IP addresses for interfaces on Link2." - } - }, - "vlanId": { - "type": "int", - "defaultValue": 0, - "metadata": { - "description": "Optional. Specifies the identifier that is used to identify the customer." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock ExpressRoute Circuit from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "diagnosticsLogs": [ - { - "category": "PeeringRouteLog", - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "peeringConfiguration": [ - { - "name": "[parameters('peeringType')]", - "properties": { - "peeringType": "[parameters('peeringType')]", - "sharedKey": "[parameters('sharedKey')]", - "peerASN": "[parameters('peerASN')]", - "primaryPeerAddressPrefix": "[parameters('primaryPeerAddressPrefix')]", - "secondaryPeerAddressPrefix": "[parameters('secondaryPeerAddressPrefix')]", - "vlanId": "[parameters('vlanId')]" - } - } - ], - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.Network/expressRouteCircuits", - "apiVersion": "2021-02-01", - "name": "[parameters('circuitName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[concat(parameters('skuTier'),'_', parameters('skuFamily'))]", - "tier": "[parameters('skuTier')]", - "family": "[parameters('skuFamily')]" - }, - "properties": { - "serviceProviderProperties": { - "serviceProviderName": "[parameters('serviceProviderName')]", - "peeringLocation": "[parameters('peeringLocation')]", - "bandwidthInMbps": "[parameters('bandwidthInMbps')]" - }, - "peerings": "[if(parameters('peering'), variables('peeringConfiguration'), json('null'))]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2016-09-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/expressRouteCircuitDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/expressRouteCircuits/', parameters('circuitName'))]" - ], - "comments": "Resource lock on Azure ExpressRoute Circuit", - "properties": { - "level": "CannotDelete" - } - }, - { - "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticsettings", - "apiVersion": "2017-05-01-preview", - "name": "[concat(parameters('circuitName'), '/Microsoft.Insights/service')]", - "location": "[parameters('location')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[concat('Microsoft.Network/expressRouteCircuits/', parameters('circuitName'))]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "eventHubAuthorizationRuleId": "[if(empty(parameters('eventHubAuthorizationRuleId')), json('null'), parameters('eventHubAuthorizationRuleId'))]", - "eventHubName": "[if(empty(parameters('eventHubName')), json('null'), parameters('eventHubName'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]", - "logs": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsLogs'))]" - } - } - ] - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('circuitName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "circuitName": { - "value": "[parameters('circuitName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "circuitName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/expressRouteCircuits/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('circuitName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('circuitName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "expressRouteCircuitResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/expressRouteCircuits', parameters('circuitName'))]", - "metadata": { - "description": "The Resource Id of the ExpressRoute Circuits." - } - }, - "expressRouteCircuitResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the ExpressRoute Circuits was created in." - } - }, - "expressRouteCircuitName": { - "type": "string", - "value": "[parameters('circuitName')]", - "metadata": { - "description": "The Name of the ExpressRoute Circuits.." - } - }, - "expressRouteCircuitServiceKey": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Network/expressRouteCircuits', parameters('circuitName')),'2020-05-01').serviceKey]", - "metadata": { - "description": "The URL of the Key Vault." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Network/expressRouteCircuits/readme.md b/arm/Microsoft.Network/expressRouteCircuits/readme.md index 7108088b93..97d279123e 100644 --- a/arm/Microsoft.Network/expressRouteCircuits/readme.md +++ b/arm/Microsoft.Network/expressRouteCircuits/readme.md @@ -9,8 +9,8 @@ This template deploys a ExrepressRoute Circuit. |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| |`Microsoft.Network/expressRouteCircuits`|2021-02-01| -|`providers/locks`|2016-09-01| -|`Microsoft.Network/expressRouteCircuits/providers/diagnosticsettings`|2017-05-01-preview| +|`Microsoft.Authorization/locks`|2016-09-01| +|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| |`Microsoft.Network/expressRouteCircuits/providers/roleAssignments`|2018-09-01-preview| ## Parameters diff --git a/arm/Microsoft.Network/loadBalancers/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/loadBalancers/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..6c37b53413 --- /dev/null +++ b/arm/Microsoft.Network/loadBalancers/.bicep/nested_rbac.bicep @@ -0,0 +1,11 @@ +param roleAssignmentObj object +param builtInRoleNames object +param resourceName string + +resource roleAssigment 'Microsoft.Network/loadBalancers/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) + principalId: principalId + } +}] diff --git a/arm/Microsoft.Network/loadBalancers/deploy.bicep b/arm/Microsoft.Network/loadBalancers/deploy.bicep new file mode 100644 index 0000000000..24f0c7fb79 --- /dev/null +++ b/arm/Microsoft.Network/loadBalancers/deploy.bicep @@ -0,0 +1,198 @@ +@description('Required. The Proximity Placement Groups Name') +param loadBalancerName string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Optional. Name of a load balancer SKU.') +@allowed([ + 'Basic' + 'Standard' +]) +param loadBalancerSku string = 'Standard' + +@description('Required. Array of objects containing all frontend IP configurations') +@minLength(1) +param frontendIPConfigurations array + +@description('Required. Collection of backend address pools used by a load balancer.') +@minLength(1) +param backendAddressPools array + +@description('Required. Array of objects containing all load balancing rules') +@minLength(1) +param loadBalancingRules array + +@description('Required. Array of objects containing all probes, these are references in the load balancing rules') +@minLength(1) +param probes array + +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource identifier of the Diagnostic Storage Account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource identifier of Log Analytics.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. Switch to lock resource from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var frontendsSubnets = [for item in frontendIPConfigurations: { + id: item.properties.subnetId +}] +var frontendsPublicIPAddresses = [for item in frontendIPConfigurations: { + id: item.properties.publicIPAddressId +}] +var frontendsObj = { + subnets: frontendsSubnets + publicIPAddresses: frontendsPublicIPAddresses +} + +var frontendIPConfigurations_var = [for (frontendIPConfiguration, index) in frontendIPConfigurations: { + name: frontendIPConfiguration.name + properties: { + subnet: (empty(frontendIPConfiguration.properties.subnetId) ? json('null') : frontendsObj.subnets[index]) + publicIPAddress: (empty(frontendIPConfiguration.properties.publicIPAddressId) ? json('null') : frontendsObj.publicIPAddresses[index]) + privateIPAddress: (empty(frontendIPConfiguration.properties.privateIPAddress) ? json('null') : frontendIPConfiguration.properties.privateIPAddress) + privateIPAllocationMethod: (empty(frontendIPConfiguration.properties.subnetId) ? json('null') : (empty(frontendIPConfiguration.properties.privateIPAddress) ? 'Dynamic' : 'Static')) + } +}] + +var loadBalancingRules_var = [for loadBalancingRule in loadBalancingRules: { + name: loadBalancingRule.name + properties: { + backendAddressPool: { + id: resourceId('Microsoft.Network/loadBalancers/backendAddressPools', loadBalancerName, loadBalancingRule.properties.backendAddressPoolName) + } + backendPort: loadBalancingRule.properties.backendPort + disableOutboundSnat: (contains(loadBalancingRule.properties, 'disableOutboundSnat') ? loadBalancingRule.properties.disableOutboundSnat : 'false') + enableFloatingIP: loadBalancingRule.properties.enableFloatingIP + enableTcpReset: (contains(loadBalancingRule.properties, 'enableTcpReset') ? loadBalancingRule.properties.enableTcpReset : 'false') + frontendIPConfiguration: { + id: resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', loadBalancerName, loadBalancingRule.properties.frontendIPConfigurationName) + } + frontendPort: loadBalancingRule.properties.frontendPort + idleTimeoutInMinutes: loadBalancingRule.properties.idleTimeoutInMinutes + loadDistribution: (contains(loadBalancingRule.properties, 'loadDistribution') ? loadBalancingRule.properties.loadDistribution : 'Default') + probe: { + id: '${resourceId('Microsoft.Network/loadBalancers', loadBalancerName)}/probes/${loadBalancingRule.properties.probeName}' + } + protocol: loadBalancingRule.properties.protocol + } + }] + +var probes_var = [for probe in probes: { + name: probe.name + properties: { + protocol: probe.properties.protocol + requestPath: ((toLower(probe.properties.protocol) == 'tcp') ? json('null') : probe.properties.requestPath) + port: probe.properties.port + intervalInSeconds: probe.properties.intervalInSeconds + numberOfProbes: probe.properties.numberOfProbes + } + }] + +var diagnosticsMetrics = [ + { + category: 'AllMetrics' + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } + } +] +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','76283e04-6283-4c54-8f91-bcf1374a3c64') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','1c0163c0-47e6-4577-8991-ea5c82e286e4') + 'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','9980e02c-c2be-4d73-94e8-173b1dc7cf3c') + 'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','fb879df8-f326-4884-b1cf-06f3ad86be52') +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2021-02-01' = { + name: loadBalancerName + location: location + tags: tags + sku: { + name: loadBalancerSku + } + properties: { + frontendIPConfigurations: frontendIPConfigurations_var + backendAddressPools: backendAddressPools + loadBalancingRules: loadBalancingRules_var + probes: probes_var + } +} + +resource loadBalancer_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${loadBalancer.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: loadBalancer +} + +resource loadBalancer_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2017-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${loadBalancer.name}-diagnosticSettings' + properties: { + storageAccountId: (empty(diagnosticStorageAccountId) ? json('null') : diagnosticStorageAccountId) + workspaceId: (empty(workspaceId) ? json('null') : workspaceId) + eventHubAuthorizationRuleId: (empty(eventHubAuthorizationRuleId) ? json('null') : eventHubAuthorizationRuleId) + eventHubName: (empty(eventHubName) ? json('null') : eventHubName) + metrics: ((empty(diagnosticStorageAccountId) && empty(workspaceId) && empty(eventHubAuthorizationRuleId) && empty(eventHubName)) ? json('null') : diagnosticsMetrics) + } + scope: loadBalancer +} + +module loadBalancer_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' + params: { + roleAssignmentObj: roleAssignment + builtInRoleNames: builtInRoleNames + resourceName: loadBalancer.name + } +}] + +output loadBalancerName string = loadBalancer.name +output loadBalancerResourceId string = loadBalancer.id +output loadBalancerResourceGroup string = resourceGroup().name diff --git a/arm/Microsoft.Network/loadBalancers/deploy.json b/arm/Microsoft.Network/loadBalancers/deploy.json deleted file mode 100644 index 6b47289719..0000000000 --- a/arm/Microsoft.Network/loadBalancers/deploy.json +++ /dev/null @@ -1,543 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "loadBalancerName": { - "type": "string", - "metadata": { - "description": "Required. The Proximity Placement Groups Name" - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "loadBalancerSku": { - "type": "string", - "defaultValue": "Standard", - "allowedValues": ["Basic", "Standard"], - "metadata": { - "description": "Optional. Name of a load balancer SKU." - } - }, - "frontendIPConfigurations": { - "type": "array", - "minLength": 1, - "metadata": { - "description": "Required. Array of objects containing all frontend IP configurations" - } - }, - "backendAddressPools": { - "type": "array", - "minLength": 1, - "metadata": { - "description": "Required. Collection of backend address pools used by a load balancer." - } - }, - "loadBalancingRules": { - "type": "array", - "minLength": 1, - "metadata": { - "description": "Required. Array of objects containing all load balancing rules" - } - }, - "probes": { - "type": "array", - "minLength": 1, - "metadata": { - "description": "Required. Array of objects containing all probes, these are references in the load balancing rules" - } - }, - "diagnosticLogsRetentionInDays": { - "type": "int", - "defaultValue": 365, - "minValue": 0, - "maxValue": 365, - "metadata": { - "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." - } - }, - "diagnosticStorageAccountId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of the Diagnostic Storage Account." - } - }, - "workspaceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource identifier of Log Analytics." - } - }, - "eventHubAuthorizationRuleId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." - } - }, - "lockForDeletion": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to lock resource from deletion." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "frontends": { - "copy": [ - { - "name": "subnets", - "count": "[length(parameters('frontendIPConfigurations'))]", - "input": { - "id": "[parameters('frontendIPConfigurations')[copyIndex('subnets')].properties.subnetId]" - } - }, - { - "name": "publicIPAddresses", - "count": "[length(parameters('frontendIPConfigurations'))]", - "input": { - "id": "[parameters('frontendIPConfigurations')[copyIndex('publicIPAddresses')].properties.publicIPAddressId]" - } - } - ] - }, - "frontendIPConfigurations": { - "copy": [ - { - "name": "frontendIPConfigurations", - "count": "[length(parameters('frontendIPConfigurations'))]", - "input": { - "name": "[parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].name]", - "properties": { - "subnet": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.subnetId), json('null'), variables('frontends').subnets[copyIndex('frontendIPConfigurations')])]", - "publicIPAddress": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.publicIPAddressId), json('null'), variables('frontends').publicIPAddresses[copyIndex('frontendIPConfigurations')])]", - "privateIPAddress": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.privateIPAddress), json('null'), parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.privateIPAddress)]", - "privateIPAllocationMethod": "[if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.subnetId), json('null'), if(empty(parameters('frontendIPConfigurations')[copyIndex('frontendIPConfigurations')].properties.privateIPAddress), 'Dynamic', 'Static'))]" - } - } - } - ] - }, - "loadBalancingRules": { - "copy": [ - { - "name": "loadBalancingRules", - "count": "[length(parameters('loadBalancingRules'))]", - "input": { - "name": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].name]", - "properties": { - "frontendIPConfiguration": { - "id": "[resourceId('Microsoft.Network/loadBalancers/frontendIPConfigurations', parameters('loadBalancerName'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.frontendIPConfigurationName)]" - }, - "backendAddressPool": { - "id": "[resourceId('Microsoft.Network/loadBalancers/backendAddressPools', parameters('loadBalancerName'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.backendAddressPoolName)]" - }, - "frontendPort": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.frontendPort]", - "backendPort": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.backendPort]", - "enableFloatingIP": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.enableFloatingIP]", - "idleTimeoutInMinutes": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.idleTimeoutInMinutes]", - "protocol": "[parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.protocol]", - "enableDestinationServiceEndpoint": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'enableDestinationServiceEndpoint'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.enableDestinationServiceEndpoint, 'false')]", - "enableTcpReset": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'enableTcpReset'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.enableTcpReset, 'false')]", - "loadDistribution": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'loadDistribution'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.loadDistribution, 'Default')]", - "disableOutboundSnat": "[if(contains(parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties, 'disableOutboundSnat'), parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.disableOutboundSnat, 'false')]", - "probe": { - "id": "[concat(resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName')), '/probes/', parameters('loadBalancingRules')[copyIndex('loadBalancingRules')].properties.probeName)]" - } - } - } - } - ] - }, - "probes": { - "copy": [ - { - "name": "probes", - "count": "[length(parameters('probes'))]", - "input": { - "name": "[parameters('probes')[copyIndex('probes')].name]", - "properties": { - "protocol": "[parameters('probes')[copyIndex('probes')].properties.protocol]", - "requestPath": "[if(equals(tolower(parameters('probes')[copyIndex('probes')].properties.protocol), 'tcp'), json('null'), parameters('probes')[copyIndex('probes')].properties.requestPath)]", - "port": "[parameters('probes')[copyIndex('probes')].properties.port]", - "intervalInSeconds": "[parameters('probes')[copyIndex('probes')].properties.intervalInSeconds]", - "numberOfProbes": "[parameters('probes')[copyIndex('probes')].properties.numberOfProbes]" - } - } - } - ] - }, - "diagnosticsMetrics": [ - { - "category": "AllMetrics", - "timeGrain": null, - "enabled": true, - "retentionPolicy": { - "enabled": true, - "days": "[parameters('diagnosticLogsRetentionInDays')]" - } - } - ], - "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" - } - }, - "resources": [ - { - "condition": "[not(empty(parameters('cuaId')))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "name": "[parameters('loadBalancerName')]", - "type": "Microsoft.Network/loadBalancers", - "apiVersion": "2021-02-01", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "sku": { - "name": "[parameters('loadBalancerSku')]" - }, - "properties": { - "frontendIPConfigurations": "[variables('frontendIPConfigurations').frontendIPConfigurations]", - "backendAddressPools": "[parameters('backendAddressPools')]", - "loadBalancingRules": "[variables('loadBalancingRules').loadBalancingRules]", - "probes": "[variables('probes').probes]" - }, - "resources": [ - { - "type": "providers/locks", - "apiVersion": "2020-05-01", - "condition": "[parameters('lockForDeletion')]", - "name": "Microsoft.Authorization/loadBalancerDoNotDelete", - "dependsOn": [ - "[concat('Microsoft.Network/loadBalancers/', parameters('loadBalancerName'))]" - ], - "comments": "Resource lock.", - "properties": { - "level": "CannotDelete" - } - } - ] - }, - { - "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", - "location": "[parameters('location')]", - "name": "[concat(parameters('loadBalancerName'), '/Microsoft.Insights/service')]", - "condition": "[or(not(empty(parameters('diagnosticStorageAccountId'))),not(empty(parameters('workspaceId'))),not(empty(parameters('eventHubAuthorizationRuleId'))),not(empty(parameters('eventHubName'))))]", - "dependsOn": [ - "[parameters('loadBalancerName')]" - ], - "properties": { - "storageAccountId": "[if(empty(parameters('diagnosticStorageAccountId')), json('null'), parameters('diagnosticStorageAccountId'))]", - "workspaceId": "[if(empty(parameters('workspaceId')), json('null'), parameters('workspaceId'))]", - "metrics": "[if(and(empty(parameters('diagnosticStorageAccountId')), empty(parameters('workspaceId')), empty(parameters('eventHubAuthorizationRuleId')), empty(parameters('eventHubName'))), json('null'), variables('diagnosticsMetrics'))]" - } - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('loadBalancerName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "loadBalancerName": { - "value": "[parameters('loadBalancerName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "loadBalancerName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/loadBalancers/providers/roleAssignments", - "apiVersion": "2018-09-01-preview", - "name": "[concat(parameters('loadBalancerName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('loadBalancerName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "loadBalancerName": { - "type": "string", - "value": "[parameters('loadBalancerName')]", - "metadata": { - "description": "The Name of the Load Balancer." - } - }, - "loadBalancerResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/loadBalancers', parameters('loadBalancerName'))]", - "metadata": { - "description": "The Resource ID of the Load Balancer." - } - }, - "loadBalancerResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The resource Group name in which the reosurce is created." - } - } - } -} \ No newline at end of file diff --git a/arm/Microsoft.Network/loadBalancers/parameters/parameters.json b/arm/Microsoft.Network/loadBalancers/parameters/parameters.json index 28f8c5d026..2ceb7ece36 100644 --- a/arm/Microsoft.Network/loadBalancers/parameters/parameters.json +++ b/arm/Microsoft.Network/loadBalancers/parameters/parameters.json @@ -14,22 +14,6 @@ "privateIPAddress": "" } } - // { - // "name": "privateIPConfigDynamic", - // "properties": { - // "publicIPAddressId": "", - // "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-x-001", - // "privateIPAddress": "" - // } - // } - // { - // "name": "privateIPConfigStatic", - // "properties": { - // "publicIPAddressId": "", - // "subnetId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-001/subnets/sxx-az-subnet-x-001", - // "privateIPAddress": "X.X.X.X" - // } - // } ] }, "backendAddressPools": { @@ -54,21 +38,6 @@ "backendAddressPoolName": "backendAddressPool" } } - // { - // "name": "privateIPLBRule", - // "properties": { - // "frontendIPConfigurationName": "privateIPConfig", - // "frontendPort": 80, - // "backendPort": 80, - // "enableFloatingIP": false, - // "idleTimeoutInMinutes": 5, - // "protocol": "TCP", - // "enableTcpReset": false, - // "loadDistribution": false, - // "disableOutboundSnat": false, - // "probeName": "probe" - // } - // } ] }, "probes": { diff --git a/arm/Microsoft.Network/loadBalancers/readme.md b/arm/Microsoft.Network/loadBalancers/readme.md index 18502e4c82..41592daa6b 100644 --- a/arm/Microsoft.Network/loadBalancers/readme.md +++ b/arm/Microsoft.Network/loadBalancers/readme.md @@ -8,8 +8,8 @@ This module deploys a Load Balancer |:--|:--| |`Microsoft.Resources/deployments`|2018-02-01| |`Microsoft.Network/loadBalancers`|2021-02-01| -|`Microsoft.Network/loadBalancers/providers/diagnosticSettings`|2017-05-01-preview| -|`providers/locks`|2016-09-01| +|`Microsoft.Insights/diagnosticSettings`|2017-05-01-preview| +|`Microsoft.Authorization/locks`|2016-09-01| |`Microsoft.Network/loadBalancers/providers/roleAssignments`|2018-09-01-preview| ## Parameters diff --git a/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..193909a62c --- /dev/null +++ b/arm/Microsoft.Network/localNetworkGateways/.bicep/nested_rbac.bicep @@ -0,0 +1,11 @@ +param roleAssignmentObj object +param builtInRoleNames object +param resourceName string + +resource roleAssigment 'Microsoft.Network/localNetworkGateways/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) + principalId: principalId + } +}] diff --git a/arm/Microsoft.Network/localNetworkGateways/deploy.bicep b/arm/Microsoft.Network/localNetworkGateways/deploy.bicep new file mode 100644 index 0000000000..92059ee4cc --- /dev/null +++ b/arm/Microsoft.Network/localNetworkGateways/deploy.bicep @@ -0,0 +1,100 @@ +@description('Required. Name of the Local Network Gateway') +@minLength(1) +param localNetworkGatewayName string + +@description('Optional. Location for all resources.') +param location string = resourceGroup().location + +@description('Required. List of the local (on-premises) IP address ranges') +param localAddressPrefixes array + +@description('Required. Public IP of the local gateway') +param localGatewayPublicIpAddress string + +@description('Optional. The BGP speaker\'s ASN. Not providing this value will automatically disable BGP on this Local Network Gateway resource.') +param localAsn string = '' + +@description('Optional. The BGP peering address and BGP identifier of this BGP speaker. Not providing this value will automatically disable BGP on this Local Network Gateway resource.') +param localBgpPeeringAddress string = '' + +@description('Optional. The weight added to routes learned from this BGP speaker. This will only take effect if both the localAsn and the localBgpPeeringAddress values are provided.') +param localPeerWeight string = '' + +@description('Optional. Switch to lock Local Network Gateway from deletion.') +param lockForDeletion bool = false + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +@description('Optional. FQDN of local network gateway.') +param fqdn string = '' + +var bgpSettings = { + asn: localAsn + bgpPeeringAddress: localBgpPeeringAddress + peerWeight: (empty(localPeerWeight) ? '0' : localPeerWeight) +} +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource localNetworkGateway 'Microsoft.Network/localNetworkGateways@2021-02-01' = { + name: localNetworkGatewayName + location: location + tags: tags + properties: { + localNetworkAddressSpace: { + addressPrefixes: localAddressPrefixes + } + fqdn: ((!empty(fqdn)) ? json('null') : fqdn) + gatewayIpAddress: localGatewayPublicIpAddress + bgpSettings: (((!empty(localAsn)) && (!empty(localBgpPeeringAddress))) ? bgpSettings : json('null')) + } +} + +resource localNetworkGateway_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${localNetworkGateway.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: localNetworkGateway +} + +module localNetworkGateway_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' + params: { + roleAssignmentObj: roleAssignment + builtInRoleNames: builtInRoleNames + resourceName: localNetworkGateway.name + } +}] + +output localNetworkGatewayResourceId string = localNetworkGateway.id +output localNetworkGatewayResourceGroup string = resourceGroup().name +output localNetworkGatewayName string = localNetworkGateway.name diff --git a/arm/Microsoft.Network/localNetworkGateways/deploy.json b/arm/Microsoft.Network/localNetworkGateways/deploy.json index f3a77f4a63..45e6d22726 100644 --- a/arm/Microsoft.Network/localNetworkGateways/deploy.json +++ b/arm/Microsoft.Network/localNetworkGateways/deploy.json @@ -94,179 +94,21 @@ "peerWeight": "[if(empty(parameters('localPeerWeight')), '0', parameters('localPeerWeight'))]" }, "builtInRoleNames": { - "AcrDelete": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c2f4ef07-c644-48eb-af81-4b1b4947fb11')]", - "AcrImageSigner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6cef56e8-d556-48e5-a04f-b8e64114680f')]", - "AcrPull": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f951dda-4ed3-4680-a7ca-43fe172d538d')]", - "AcrPush": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8311e382-0749-4cb8-b61a-304f252e45ec')]", - "AcrQuarantineReader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cdda3590-29a3-44f6-95f2-9f980659eb04')]", - "AcrQuarantineWriter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c8d4ff99-41c3-41a8-9f60-21dfdad59608')]", - "API Management Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '312a565d-c81f-4fd8-895a-4e21e48d571c')]", - "API Management Service Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')]", - "API Management Service Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '71522526-b88f-4d52-b57f-d31fc3546d0d')]", - "App Configuration Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')]", - "App Configuration Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '516239f1-63e1-4d78-a4de-a74fb236a071')]", - "Application Insights Component Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ae349356-3a1b-4a5e-921d-050484c6347e')]", - "Application Insights Snapshot Debugger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '08954f03-6346-4c2e-81c0-ec3a5cfae23b')]", - "Attestation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bbf86eb8-f7b4-4cce-96e4-18cddf81d86e')]", - "Attestation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fd1bd22b-8476-40bc-a0bc-69b95687b9f3')]", - "Automation Job Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4fe576fe-1146-4730-92eb-48519fa6bf9f')]", - "Automation Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd3881f73-407a-4167-8283-e981cbba0404')]", - "Automation Runbook Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5fb5aef8-1081-4b8e-bb16-9d5d0385bab5')]", - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Connected Machine Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b64e21ea-ac4e-4cdf-9dc9-5b892992bee7')]", - "Azure Connected Machine Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cd570a14-e51a-42ad-bac8-bafd67325302')]", - "Azure Digital Twins Owner (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'bcd981a7-7f74-457b-83e1-cceb9e632ffe')]", - "Azure Digital Twins Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd57506d4-4c8d-48b1-8587-93c323f6a5a3')]", - "Azure Event Hubs Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f526a384-b230-433a-b45c-95f59c4a2dec')]", - "Azure Event Hubs Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde')]", - "Azure Event Hubs Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2b629674-e913-4c01-ae53-ef4638d8f975')]", - "Azure Kubernetes Service Cluster Admin Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]", - "Azure Kubernetes Service Cluster User Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4abbcc35-e782-43d8-92c5-2d3f1bd2253f')]", - "Azure Kubernetes Service Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8')]", - "Azure Maps Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204')]", - "Azure Maps Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '423170ca-a8f6-4b0f-8487-9e4eb8f49bfa')]", - "Azure Sentinel Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ab8e14d6-4a74-4a29-9ba8-549422addade')]", - "Azure Sentinel Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d289c81-5878-46d4-8554-54e1e3d8b5cb')]", - "Azure Sentinel Responder": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3e150937-b8fe-4cfb-8069-0eaf05ecd056')]", - "Azure Service Bus Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '090c5cfd-751d-490a-894a-3ce6f1109419')]", - "Azure Service Bus Data Receiver": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')]", - "Azure Service Bus Data Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')]", - "Azure Stack Registration Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6f12a6df-dd06-4f3e-bcb1-ce8be600526a')]", - "Backup Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '00c29273-979b-4161-815c-10b084fb9324')]", - "Backup Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a795c7a0-d4a2-40c1-ae25-d81f01202912')]", - "Billing Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64')]", - "BizTalk Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5e3c6656-6cfa-4708-81fe-0de47ac73342')]", - "Blockchain Member Node Access (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '31a002a1-acaf-453e-8a5b-297c9ca1ea24')]", - "Blueprint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '41077137-e803-4205-871c-5a86e6a753b4')]", - "Blueprint Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '437d2ced-4a38-4302-8479-ed2bcb43d090')]", - "CDN Endpoint Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '426e0c7f-0c7e-4658-b36f-ff54d6c29b45')]", - "CDN Endpoint Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '871e35f6-b5c1-49cc-a043-bde969a0f2cd')]", - "CDN Profile Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ec156ff8-a8d1-4d15-830c-5b80698ca432')]", - "CDN Profile Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8f96442b-4075-438f-813d-ad51ab4019af')]", - "Classic Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b34d265f-36f7-4a0d-a4d4-e158ca92e90f')]", - "Classic Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '86e8f5dc-a6e9-4c67-9d15-de283e8eac25')]", - "Classic Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '985d6b00-f706-48f5-a6fe-d0ca12fb668d')]", - "Classic Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd73bb868-a0df-4d4d-bd69-98a00b01fccb')]", - "ClearDB MySQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9106cda0-8a86-4e81-b686-29a22c54effe')]", - "Cognitive Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68')]", - "Cognitive Services Custom Vision Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c1ff6cc2-c111-46fe-8896-e0ef812ad9f3')]", - "Cognitive Services Custom Vision Deployment": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5c4089e1-6d96-4d2f-b296-c1bc7137275f')]", - "Cognitive Services Custom Vision Labeler": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '88424f51-ebe7-446f-bc41-7fa16989e96c')]", - "Cognitive Services Custom Vision Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '93586559-c37d-4a6b-ba08-b9f0940c2d73')]", - "Cognitive Services Custom Vision Trainer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0a5ae4ab-0d65-4eeb-be61-29fc9b54394b')]", - "Cognitive Services Data Reader (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b59867f0-fa02-499b-be73-45a86b5b3e1c')]", - "Cognitive Services QnA Maker Editor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f4cc2bf9-21be-47a1-bdf1-5c5804381025')]", - "Cognitive Services QnA Maker Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '466ccd10-b268-4a11-b098-b4849f024126')]", - "Cognitive Services User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a97b65f3-24c7-4388-baec-2e87135dc908')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Account Reader Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fbdf93bf-df7d-467e-a4d2-9458aa1360c8')]", - "Cosmos DB Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "CosmosBackupOperator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db7b14f2-5adf-42da-9f96-f2ee17bab5cb')]", - "Cost Management Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '434105ed-43f6-45c7-a02f-909b2ba83430')]", - "Cost Management Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '72fafb9e-0641-4937-9268-a91bfd8191a3')]", - "Data Box Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'add466c9-e687-43fc-8d98-dfcf8d720be5')]", - "Data Box Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027')]", - "Data Factory Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '673868aa-7521-48a0-acc6-0f60742d39f5')]", - "Data Lake Analytics Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '47b7735b-770e-4598-a7da-8b91488b4c88')]", - "Data Purger": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '150f5e0c-0603-4f03-8c7f-cf70034c4e90')]", - "Desktop Virtualization User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63')]", - "DevTest Labs User": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "EventGrid EventSubscription Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '428e0ff0-5e57-4d9c-a221-2c70d0e0a443')]", - "EventGrid EventSubscription Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2414bbcf-6497-4faf-8c65-045460748405')]", - "Experimentation Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a33b-edd6ce5c915c')]", - "Experimentation Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7f646f1b-fa08-80eb-a22b-edd6ce5c915c')]", - "Experimentation Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '49632ef5-d9ac-41f4-b8e7-bbe587fa74a1')]", - "FHIR Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5a1fc7df-4bf1-4951-a576-89034ee01acd')]", - "FHIR Data Exporter": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3db33094-8700-4567-8da5-1501d4e7e843')]", - "FHIR Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4c8d0bbc-75d3-4935-991f-5f3c56d81508')]", - "FHIR Data Writer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3f88fce4-5892-4214-ae73-ba5294559913')]", - "Graph Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b60367af-1334-4454-b71e-769d9a4f83d9')]", - "HDInsight Cluster Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '61ed4efc-fab3-44fd-b111-e24485cc132a')]", - "HDInsight Domain Services Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8d8d5a11-05d3-4bda-a417-a08778121c7c')]", - "Hierarchy Settings Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '350f8d15-c687-4448-8ae1-157740a3936d')]", - "Hybrid Server Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb')]", - "Hybrid Server Resource Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '48b40c6e-82e0-4eb3-90d5-19e40f49b624')]", - "Integration Service Environment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a41e2c5b-bd99-4a07-88f4-9bf657a760b8')]", - "Integration Service Environment Developer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7aa55d3-1abb-444a-a5ca-5e51e485d6ec')]", - "Intelligent Systems Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '03a6d094-3444-4b3d-88af-7477090a9e5e')]", - "Key Vault Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f25e0fa2-a7c8-4377-a976-54943a77a395')]", - "Knowledge Consumer": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ee361c5d-f7b5-4119-b4b6-892157c8f64c')]", - "Kubernetes Cluster - Azure Arc Onboarding": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '34e09817-6cbe-4d01-b1a2-e0eac5743d41')]", - "Lab Creator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b97fb8bc-a8b2-4522-a38b-dd33c7e65ead')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Logic App Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '87a39d53-fc1b-424a-814c-f7e04687dc9e')]", - "Logic App Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Managed Services Registration assignment Delete ": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '91c1777a-f3dc-4fae-b103-61d183457e46')]", - "Management Group Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c')]", - "Management Group Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ac63b705-f282-497d-ac71-919bf39d939d')]", - "Marketplace Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dd920d6d-f481-47f1-b461-f338c46b2d9f')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "New Relic APM Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d28c62d-5b37-4476-8438-e587778df237')]", - "Object Understanding Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4dd61c23-6743-42fe-a388-d8bdd41cb745')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Policy Insights Data Writer (Preview)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '66bb4e9e-b016-4a94-8249-4c0511c2be84')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Reader and Data Access": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c12c1c16-33a1-487b-954d-41c89c60f349')]", - "Redis Cache Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e0f68234-74aa-48ed-b826-c38b57376e17')]", - "Remote Rendering Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3df8b902-2a6f-47c7-8cc5-360e9b272a7e')]", - "Remote Rendering Client": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'd39065c4-c120-43c9-ab0a-63eed9795f0a')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Scheduler Job Collections Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '188a0f2f-5c9e-469b-ae67-2aa5ce574b94')]", - "Search Service Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '7ca78c08-252a-4471-8644-bb5ff32d4ba0')]", - "Security Admin": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb1c8493-542b-48eb-b624-b4c8fea62acd')]", - "Security Assessment Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '612c2aa1-cb24-443b-ac28-3ab7272de6f5')]", - "Security Manager (Legacy)": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e3d13bf0-dd5a-482e-ba6b-9b8433878d10')]", - "Security Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '39bc4728-0917-49c7-9d2c-d95423bc2eb4')]", - "SignalR AccessKey Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '04165923-9d83-45d5-8227-78b77b0a687e')]", - "SignalR Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761')]", - "Site Recovery Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "Site Recovery Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'dbaa88c4-0c30-4179-9fb3-46319faa6149')]", - "Spatial Anchors Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827')]", - "Spatial Anchors Account Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '70bbe301-9835-447d-afdd-19eb3167307c')]", - "Spatial Anchors Account Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '5d51204f-eb77-4b1c-b86a-2ec626c49413')]", - "SQL DB Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9b7fa17d-e63e-47b0-bb0a-15c516ac86ec')]", - "SQL Managed Instance Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "SQL Server Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437')]", - "Storage Account Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Storage Account Key Operator Service Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '81a9662b-bebf-436f-a333-f67b29880f12')]", - "Storage Blob Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')]", - "Storage Blob Data Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]", - "Storage Blob Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1')]", - "Storage Blob Delegator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'db58b8e5-c6ad-4a2a-8342-4190687cbf4a')]", - "Storage File Data SMB Share Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb')]", - "Storage File Data SMB Share Elevated Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a7264617-510b-434b-a828-9731dc254ea7')]", - "Storage File Data SMB Share Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'aba4ae5f-2193-4029-9191-0cb91df5e314')]", - "Storage Queue Data Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '974c5e8b-45b9-4653-ba55-5f855dd0fb88')]", - "Storage Queue Data Message Processor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8a0f0c08-91a1-4084-bc3d-661d67233fed')]", - "Storage Queue Data Message Sender": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c6a89b2d-59bc-44d0-9896-0f6e12d7b80a')]", - "Storage Queue Data Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '19e7f393-937e-4f77-808e-94535e297925')]", - "Support Request Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e')]", - "Tag Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4a9ae827-6dc8-4573-8ac7-8239d42aa03f')]", - "Traffic Manager Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Web Plan Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b')]", - "Website Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'de139f84-1756-47ae-9be6-808fbbe84772')]", - "Workbook Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'e8ddcd69-c73f-4f9f-9844-4100522f16ad')]", - "Workbook Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b279062a-9be3-42a0-92ae-8b3cf002ec4d')]" + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Metrics Publisher": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" } }, "resources": [ diff --git a/arm/Microsoft.Network/privateDnsZones/.bicep/nested_cuaId.bicep b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep new file mode 100644 index 0000000000..0ce86e7398 --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/.bicep/nested_rbac.bicep @@ -0,0 +1,11 @@ +param roleAssignmentObj object +param builtInRoleNames object +param resourceName string + +resource roleAssigment 'Microsoft.Network/privateDnsZones/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' + properties: { + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) + principalId: principalId + } +}] diff --git a/arm/Microsoft.Network/privateDnsZones/deploy.bicep b/arm/Microsoft.Network/privateDnsZones/deploy.bicep new file mode 100644 index 0000000000..dda235b8fe --- /dev/null +++ b/arm/Microsoft.Network/privateDnsZones/deploy.bicep @@ -0,0 +1,83 @@ +@description('Required. Private DNS zone name.') +param privateDnsZoneName string + +@description('Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties \'vnetResourceId\' and \'registrationEnabled\'. The \'vnetResourceId\' is a resource Id of a vNet to link, \'registrationEnabled\' (bool) enables automatic DNS registration in the zone for the linked vNet.') +param vnetLinks array = [] + +@description('Optional. The location of the PrivateDNSZone. Should be global.') +param location string = 'global' + +@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'') +param roleAssignments array = [] + +@description('Optional. Tags of the resource.') +param tags object = {} + +@description('Optional. Switch to lock Traffic Manager from deletion.') +param lockForDeletion bool = false + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4f8fab4f-1852-4a58-a46a-8eaf358af14a') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','4d97b98b-1d4f-4787-a291-c67834d212e7') + 'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b12aa53e-6015-4669-85d0-8515ebb3ae7f') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource privateDnsZone 'Microsoft.Network/privateDnsZones@2018-09-01' = { + name: privateDnsZoneName + location: location + tags: tags + + resource virtualNetworkLinks 'virtualNetworkLinks@2018-09-01' = [for vnetLink in vnetLinks: if (!empty(vnetLinks)) { + name: '${(empty(vnetLinks) ? 'dummy' : last(split(vnetLink.vnetResourceId, '/')))}' + location: location + tags: tags + properties: { + registrationEnabled: vnetLink.registrationEnabled + virtualNetwork: { + id: vnetLink.vnetResourceId + } + } + }] +} + +resource privateDnsZone_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockForDeletion) { + name: '${privateDnsZone.name}-doNotDelete' + properties: { + level: 'CanNotDelete' + } + scope: privateDnsZone +} + +module privateDnsZone_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' + params: { + roleAssignmentObj: roleAssignment + builtInRoleNames: builtInRoleNames + resourceName: privateDnsZone.name + } +}] + +output privateDnsZoneResourceGroup string = resourceGroup().name +output privateDnsZoneName string = privateDnsZone.name +output privateDnsZoneResourceId string = privateDnsZone.id diff --git a/arm/Microsoft.Network/privateDnsZones/deploy.json b/arm/Microsoft.Network/privateDnsZones/deploy.json deleted file mode 100644 index 6e7c958f5b..0000000000 --- a/arm/Microsoft.Network/privateDnsZones/deploy.json +++ /dev/null @@ -1,201 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Required. Private DNS zone name." - } - }, - "vnetLinks": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of custom objects describing vNet links of the DNS zone. Each object should contain properties 'vnetResourceId' and 'registrationEnabled'. The 'vnetResourceId' is a resource Id of a vNet to link, 'registrationEnabled' (bool) enables automatic DNS registration in the zone for the linked vNet." - } - }, - "location": { - "type": "string", - "defaultValue": "global", - "metadata": { - "description": "Optional. The location of the PrivateDNSZone. Should be global." - } - }, - "roleAssignments": { - "defaultValue": [ - ], - "type": "array", - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" - } - }, - "tags": { - "type": "object", - "defaultValue": { - }, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "cuaId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Metrics Publisher": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '3913510d-42f4-4e42-8a64-420c390055eb')]", - "Monitoring Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "User Access Administrator": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "name": "[concat('pid-', parameters('cuaId'))]", - "condition": "[not(empty(parameters('cuaId')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [ - ] - } - } - }, - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2018-09-01", - "name": "[parameters('privateDnsZoneName')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2018-09-01", - "name": "[concat(parameters('privateDnsZoneName'), '/', if(empty(parameters('vnetLinks')), 'dummy', last(split(parameters('vnetLinks')[copyIndex()].vnetResourceId,'/'))))]", - "condition": "[not(empty(parameters('vnetLinks')))]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "dependsOn": [ - "[parameters('privateDnsZoneName')]" - ], - "copy": { - "name": "vnetLinksCopy", - "count": "[length(parameters('vnetLinks'))]" - }, - "properties": { - "registrationEnabled": "[parameters('vnetLinks')[copyIndex()].registrationEnabled]", - "virtualNetwork": { - "id": "[parameters('vnetLinks')[copyIndex()].vnetResourceId]" - } - } - }, - { - "name": "[concat('rbac-',deployment().name, copyIndex())]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-01-01", - "condition": "[not(empty(parameters('roleAssignments')))]", - "dependsOn": [ - "[parameters('privateDnsZoneName')]" - ], - "copy": { - "name": "rbacDeplCopy", - "count": "[length(parameters('roleAssignments'))]" - }, - "properties": { - "mode": "Incremental", - "expressionEvaluationOptions": { - "scope": "inner" - }, - "parameters": { - "roleAssignment": { - "value": "[parameters('roleAssignments')[copyIndex()]]" - }, - "builtInRoleNames": { - "value": "[variables('builtInRoleNames')]" - }, - "privateDnsZoneName": { - "value": "[parameters('privateDnsZoneName')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "roleAssignment": { - "type": "object" - }, - "builtInRoleNames": { - "type": "object" - }, - "privateDnsZoneName": { - "type": "string" - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones/providers/roleAssignments", - "apiVersion": "2020-03-01-preview", - "name": "[concat(parameters('privateDnsZoneName'), '/Microsoft.Authorization/', guid(uniqueString(concat(parameters('privateDnsZoneName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ) )))]", - "dependsOn": [ - ], - "copy": { - "name": "innerRbacCopy", - "count": "[length(parameters('roleAssignment').principalIds)]" - }, - "properties": { - "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", - "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex()]]" - } - } - ] - } - } - } - ], - "functions": [ - ], - "outputs": { - "privateDnsZoneResourceGroup": { - "type": "string", - "value": "[resourceGroup().name]", - "metadata": { - "description": "The name of the Resource Group the resources was deployed to." - } - }, - "privateDnsZoneName": { - "type": "string", - "value": "[parameters('privateDnsZoneName')]", - "metadata": { - "description": "The Name of the private DNS zone." - } - }, - "privateDnsZoneResourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]", - "metadata": { - "description": "The Resource Id of the private DNS zone." - } - } - } -} diff --git a/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json b/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json index b7de621f39..7fed517cc9 100644 --- a/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json +++ b/arm/Microsoft.Network/privateDnsZones/parameters/parameters.json @@ -5,23 +5,5 @@ "privateDnsZoneName": { "value": "test.local" } - // "vnetLinks": { - // "value": [ - // { - // "vnetResourceId": "/subscriptions/xxx-xxx-xxx-xxx-xxx/resourceGroups/xxx/providers/Microsoft.Network/virtualNetworks/testvnet", - // "registrationEnabled": false - // } - // ] - // }, - // "roleAssignments": { - // "value": [ - // { - // "roleDefinitionIdOrName": "User Access Administrator", - // "principalIds": [ - // "xxx-xxx-xxx-xxx-xxx" - // ] - // } - // ] - // } } } \ No newline at end of file diff --git a/arm/Microsoft.Network/privateDnsZones/readme.md b/arm/Microsoft.Network/privateDnsZones/readme.md index 8c93410d40f0a263304448a6078f028c950f1062..4bd7aeab0e8d6ec3b4545d4ceeb25518e7b15b63 100644 GIT binary patch literal 4339 zcmd@YU2oeq@ZG=S;66AlBFpx?B+b*jxGe&#Nsy#@SP{UqMA>X)QY9&8&XWJWJ4&J? z*D10M!v@RB+@@5?K=&|=LjpGxzqlH7DUui%m!mFtLiI@e2K!17g=A_&AhOV!3e zR-nN2>X4T8ZzFc>=g2F4k;_e$S|rD&BlGo(Kn43C1r+m|DSYoTq<(vs#c zLf)CbMkv#2En?I-)GFl@W5hxhx;VK=nK8;0WSXx9zu#7BlG~-y;(=MTSeUBF%Yh~+ z6++85OpoT`GUhVckncDoDoxeBkPFbIPYp25@$G9aG>^e5m~&wBl+$BjZLs9^3ZZcB z1=DQBEviC}^>1*7r>INm;3+qe78!|)hf|)gJheA0%?aj0q5i~ZO$TN>0-DiK$3&E~ z)0m8JtR^)c;oOmDX&+8cpyUJ%%*Q3D`4=8p zO!+0V5GiSykWRfGL83#26lCDj_*|2iJzz419?CBxk+JkN?iF!_fE+G=o}6s6Fo3bq z4lp<^c>(`zSSEDRQ@jWbB)6Q^D5h296HL7;X?o}%x+ zVv37IpzAR28Tg(FdhfvBR&sUax@Ia z^Wl8_c6^x3hr=E^9p zlE*tdc9}b;6kB86gOrM1#mLurc*mk;i36sH@G45sOc~c!U}pD7h^mHDNVp&=a!tF; zdMBym#63z+{w+L~ALa`XoW>*wD+I$TMY8QfZx=n-n=6&R2JYx1l^iPsa*SNYG%+fV zQ~$y;Sp*SL#&{qLkWm{hq2l{q=_yY+#XqGdaccSI>Rwnh4@rp7aIIOAAm@)vVtLY# zXtlx$TM!`f?^$Z7Fk&TiRlKgMuAm*mtafInGn>u67$rMhf7m^S-#dVxuB)i{`q{nG zQE@>}^l><~LlCkXntbkywF!SKKLP!2eN}g1)e=5vm1o$~7E}Uu<_8+kwc~atH6h7P zNW<>F7u5;abWIr?D5cdo_i#@&%70wD(aW?;$p5u^?&-GkM4o;wAgIzb$B0H)Y+e0{ z;Aoexsj{_)`OD4>U}FFJoa z7^2}I466b&^tSOd5DIAwM_cIb)zfH@7_~^;`nTs}>3L&Za)zVa|4;9o3I6vR;6G%@ zhV$F;({TPvGR^g19HQC6jTG2QaL~cSYI>zH#Lbd!IEZnG0?B#I<33CrTnUi!!~!-3 zY?hXK7|p&oQu}I7e7?=qy1;ecNi3qutqqitXG#VaTEz|Xbx&wei!5DRZfrlt{QQZY zBDKnx-1PCc34ejh-I5u8t|_1qi!!naaH5Po!JVtPrPOTRUU9t^5vMv%$Wyl!(prO) zzKC6aZ-QT9&3YEjx#FoVdT^fGEVpjUC?3DJV&LrD*dgn!p*>GmjnB2M)?iJ;heS21 zL8pQQ2kPd^s^=NFM;8|hlG~fGgTG*O-{w$}^OSayspQyNeTZ0f1-RmrtH(~7w2@<6 z7+OD_OVFfm&cewXx2sR$*v;`Q^ZGOjr-e)eulG;M?o@>wkmg9~nt%iU0rr literal 8604 zcmeI2TW?cG5XbkqQoqBIc?cj9H-VPRQ(Zs^sU=a8@=%22OYC48?9@)6q2;T${r`46 z*>iQA2&z_~$UZ*1voo`E-`V{A*R_y^oiGdI@HX_qNf?GlVG`!ymoU|Hs9#@)ui^*D z-8eE0r&=-4Z=c%_uY_SP2r#?}$Khy!Eei)4;e8s;BE)flS|)nW!k$*XUr^jQ$9gT) z(S*jCFy?vtvxc`U>@VQ5z;}4 z_7BBbUOS0D*U#;R%+{m4hY{aUS^&~59~-T=QnP!s&##Fr=j?nH{xTGvk+?jHzVR+f z>QG}d&0t^dV|Z0Bj@sOBnnB`2;l&rG`tC<;Jw4f>kLEp(G566jg|f%(M0&j_9sC*j z`F`<}>U<`>8@x%e=y{KXV;((cEJ>b-dt!@0GB?uNQ*nMG-^7Ma;~tC>zJ|7ZXGAH3 zKrR>gZj(>v$CKv`M7bB9O0I6LbMZuMoXA>?-|gHE;ABJN548@+X_VMZBR}iCr#0xJ zqZz}}7hKx?IO^|ucp~Vhih?&Ht`tdqJQG&K?|R0%%^Ih|mwT*i|L??@D}Hg>-g<(F~`vEFkFvfC3JyEux{Fgres z-1VcTfng6_$q8CE>fF|iCVei8l5Ve#sjBH+@t^lKI4SO?n!7Stiur-_T_<~D)5Vbp zpPvaEx%n}{vD!YJg(QAj{mT;Yk?x~)54!E(flxH&S2FXB=DBwPDpwYQtsfp00 z+eq10oI|UbOfE^%&?oEzM zBkjyGXkGo&5nc8PhOuh66j9n5X|@|O@<5f)DBOuQ@J+a@Y&%d*bVq;d`rOlaU%z^S zxu-gYvA&*tJ@4ytSL3{IMtj0T_9R`4es2^@w>9gQ{vy28yvM>6A+YvCt??+3_l{<- z+h44z>aUo&m&Jg$(h4U6_%6qC- z=UI5H{STz`BArYW^0B-ePs~@S+o=}Ekt1x)B|*H+*F7F7QZ&hDI3lCRpvTdptU@5V zAou;~g{$DVb4yQaz@O)U2tpjQ$O=S~n8h#r4Y}c)#L1L_m+_Z{>(b9OddCf|q&oE4 z4Q){kSv6sM9B9n-&_tu`=YE>98Z#e_oM(#>z9YBQs;A&BUgg$ReyP?Wc6876nYV0k z@ae|C*HOxoIMS+tZ^bC|N1V@ulRx0R^0WCDg?Wc7uJTcTCThDSU88Bk+frnjO9Op< zbK1+-tVFHfOMmO<@5_Ic*AX9!_Vz?04-J&Q=&*R&zpM_oKC%uupB>32o3xnM?aQd? z5AoZ)-F^QuF~lo}rn9=^tcxeh*M7>_;*?jZFg?})J68rF-XF_Do)`SJSW(%zlKgqG zkJ{O%TzStIF|Iy#x?lRUrP^vM+*Ymit?IJ7v6JK@>*sTIza0L4>_C}4W{Ng#?J!@P zWWtiS9;aM>wjy<^J}|>W9o4$ADkt@PY%S%(th&tARpZxH?1X&Pi*?)=?SFpSUp@c- z7tUkPJ*2ptm|UXoK?JDX4X3v)?q95EjZ)Q zEdt+Af1DN%;wh@5F~?WLK>vyxkWBq>>v>SQ@^0rOr=5Dsb-CJiwpv!MuM1l`k4_eK zE?pt->3fEKri?RDzSxP?HC29necMv!$va?l$9z5AR8H0#+8;I0EPSsw8{>@2Z5LqY@bggX=-1^}lcUMG&8zn!JQXGPcV6{7 zb*d4+t8+O%7q6Td5A^gCcQgK7affYO9%J5btbVlbY86Q@6k9uv-^II${LEEvCE$c! zQMvB|O|*zbM^Mly8P#s`K` Consider adding more of the [`Microsoft.Management`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftmanagement) and [`Microsoft.Subscription`](https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftsubscription) operations to the custom role as needed. - -## Additional resources - -- [Use tags to organize your Azure resources | Microsoft Docs](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) -- [Azure Resource Manager template reference | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/) -- [Deployments | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) -- [Aliases | Microsoft Docs](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Subscription/2020-09-01/aliases) -- [Programmatically create Azure subscriptions with preview APIs | Microsoft Docs](https://docs.microsoft.com/en-us/azure/cost-management-billing/manage/programmatically-create-subscription-preview) -- [Enable subscription creation to a service principal | GitHub](https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/enable-subscription-creation.md) diff --git a/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep index 7fa0b5fa5f..d3de407f69 100644 --- a/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/connections/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param connectionName string +param resourceName string -resource nested_rbac 'Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${connectionName}/Microsoft.Authorization/${guid(connectionName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.Web/connections/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Web/connections/deploy.bicep b/arm/Microsoft.Web/connections/deploy.bicep index 1dcfe7003e..1334703da9 100644 --- a/arm/Microsoft.Web/connections/deploy.bicep +++ b/arm/Microsoft.Web/connections/deploy.bicep @@ -48,21 +48,21 @@ param tags object = {} param testLinks array = [] var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') - 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','87a39d53-fc1b-424a-814c-f7e04687dc9e') - 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Logic App Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '87a39d53-fc1b-424a-814c-f7e04687dc9e') + 'Logic App Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '515c2055-d9d4-4321-b1b9-bd0c9a0f79fe') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') } module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -96,18 +96,15 @@ resource connection_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lockFo scope: connection } -module connection_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module connection_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - connectionName: connectionName + resourceName: connection.name } - dependsOn: [ - connection - ] }] output connectionResourceId string = connection.id output connectionResourceGroup string = resourceGroup().name -output connectionName string = connectionName +output connectionName string = connection.name diff --git a/arm/Microsoft.Web/connections/readme.md b/arm/Microsoft.Web/connections/readme.md index 46a24336d6..e437e8bf49 100644 --- a/arm/Microsoft.Web/connections/readme.md +++ b/arm/Microsoft.Web/connections/readme.md @@ -8,7 +8,7 @@ This module deploys an Azure API Connection. | ---------------------------------------------------- | ------------------ | | `Microsoft.Resources/deployments` | 2020-06-01 | | `Microsoft.Web/connections` | 2016-06-01 | -| `Microsoft.Web/connection/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Web/connection/providers/roleAssignments` | 2020-04-01-preview | ## Parameters diff --git a/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep index c6c0b58b94..9ea7e1ad81 100644 --- a/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/hostingEnvironments/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param appServiceEnvironmentName string +param resourceName string -resource nested_rbac 'Microsoft.DesktopVirtualization/applicationgroups/providers/roleAssignments@2018-09-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${appServiceEnvironmentName}/Microsoft.Authorization/${guid(appServiceEnvironmentName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.Web/hostingEnvironments/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Web/hostingEnvironments/deploy.bicep b/arm/Microsoft.Web/hostingEnvironments/deploy.bicep index 00f9ff9fbf..9781ef7ca9 100644 --- a/arm/Microsoft.Web/hostingEnvironments/deploy.bicep +++ b/arm/Microsoft.Web/hostingEnvironments/deploy.bicep @@ -112,20 +112,20 @@ var diagnosticsLogs = [ ] var vnetResourceId = split(subnetResourceId, '/') var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') - 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions','2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') + 'Web Plan Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b') } module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -183,18 +183,15 @@ resource appServiceEnvironment_diagnosticSettings 'Microsoft.Insights/diagnostic scope: appServiceEnvironment } -module appServiceEnvironment_rbac './.bicep/nested_rbac.bicep' = [for (roleassignment, index) in roleAssignments: { +module appServiceEnvironment_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { name: '${uniqueString(deployment().name, location)}-AppService-Rbac-${index}' params: { - roleAssignment: roleassignment + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - appServiceEnvironmentName: appServiceEnvironmentName + resourceName: appServiceEnvironment.name } - dependsOn: [ - appServiceEnvironment - ] }] output appServiceEnvironmentResourceId string = appServiceEnvironment.id output appServiceEnvironmentResourceGroup string = resourceGroup().name -output appServiceEnvironmentName string = appServiceEnvironmentName +output appServiceEnvironmentName string = appServiceEnvironment.name diff --git a/arm/Microsoft.Web/hostingEnvironments/readme.md b/arm/Microsoft.Web/hostingEnvironments/readme.md index 28a4abe1e0..e56c917e43 100644 --- a/arm/Microsoft.Web/hostingEnvironments/readme.md +++ b/arm/Microsoft.Web/hostingEnvironments/readme.md @@ -8,7 +8,7 @@ This module deploys App Service Environment, with resource lock. | :-- | :-- | | `Microsoft.Web/hostingEnvironments` | 2021-02-01 | | `Microsoft.Web/hostingEnvironments/providers/diagnosticsettings` | 2017-05-01-preview | -| `Microsoft.Web/hostingEnvironments/providers/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Web/hostingEnvironments/providers/roleAssignments` | 2020-04-01-preview | | `Microsoft.Resources/deployments` | 2020-06-01 | | `providers/locks` | 2016-09-01 | @@ -111,7 +111,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a } ``` -workerPools can have two properties workerSize and workerCount: +workerPools can have two properties workerSize and workerCount: ```json "workerSize": { @@ -136,7 +136,7 @@ workerPools can have two properties workerSize and workerCount: "description": "Number of instances in worker pool one. Minimum of two." } } -``` +``` ## Outputs diff --git a/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep index e8ae94236b..93ffb1b4a3 100644 --- a/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/serverfarms/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param appServicePlanName string +param resourceName string -resource nested_rbac 'Microsoft.Web/sites/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${appServicePlanName}/Microsoft.Authorization/${guid(appServicePlanName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.Web/serverfarms/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Web/serverfarms/deploy.bicep b/arm/Microsoft.Web/serverfarms/deploy.bicep index 31ea6c4cad..14baab4324 100644 --- a/arm/Microsoft.Web/serverfarms/deploy.bicep +++ b/arm/Microsoft.Web/serverfarms/deploy.bicep @@ -104,18 +104,15 @@ resource appServicePlan_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lo scope: appServicePlan } -module appServicePlan_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module appServicePlan_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - appServicePlanName: appServicePlanName + resourceName: appServicePlan.name } - dependsOn: [ - appServicePlan - ] }] output appServicePlanResourceGroup string = resourceGroup().name -output appServicePlanName string = appServicePlanName +output appServicePlanName string = appServicePlan.name output appServicePlanResourceId string = appServicePlan.id diff --git a/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep b/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep index c2c2e0b894..0c9d9aacfe 100644 --- a/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.Web/sites/.bicep/nested_rbac.bicep @@ -1,12 +1,11 @@ -param roleAssignment object +param roleAssignmentObj object param builtInRoleNames object -param appName string +param resourceName string -resource nested_rbac 'Microsoft.Web/sites/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignment.principalIds: { - name: '${appName}/Microsoft.Authorization/${guid(appName, principalId, roleAssignment.roleDefinitionIdOrName)}' +resource roleAssigment 'Microsoft.Web/sites/providers/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' properties: { - roleDefinitionId: (contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: (contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName) principalId: principalId } - dependsOn: [] }] diff --git a/arm/Microsoft.Web/sites/deploy.bicep b/arm/Microsoft.Web/sites/deploy.bicep index b91fe5278e..d4845bc332 100644 --- a/arm/Microsoft.Web/sites/deploy.bicep +++ b/arm/Microsoft.Web/sites/deploy.bicep @@ -294,16 +294,13 @@ resource app_insights 'microsoft.insights/components@2020-02-02' = if (enableMon } } -module app_rbac './.bicep/nested_rbac.bicep' = [for (item, i) in roleAssignments: { - name: 'rbac-${deployment().name}${i}' +module app_rbac './.bicep/nested_rbac.bicep' = [for (roleAssignment, index) in roleAssignments: { + name: 'rbac-${deployment().name}${index}' params: { - roleAssignment: item + roleAssignmentObj: roleAssignment builtInRoleNames: builtInRoleNames - appName: appName + resourceName: app.name } - dependsOn: [ - app - ] }] module app_privateEndpoint './.bicep/nested_privateEndpoint.bicep' = [for (item, i) in privateEndpoints: { @@ -319,6 +316,6 @@ module app_privateEndpoint './.bicep/nested_privateEndpoint.bicep' = [for (item, ] }] -output appName string = appServicePlanName +output appName string = appServicePlan.name output siteResourceId string = resourceId('Microsoft.Web/serverfarms', appServicePlanName) output siteResourceGroup string = resourceGroup().name diff --git a/arm/README.md b/arm/README.md index c4c964832a..e10bac8467 100644 --- a/arm/README.md +++ b/arm/README.md @@ -71,7 +71,7 @@ The following table provides you with an outline of all Modules that are current | [NetworkSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkSecurityGroups) | | [networkSecurityGroups](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkSecurityGroups) | | | [NSG Flow Logs](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkWatcherFlowLogs) | | [networkWatcherFlowLogs](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkWatcherFlowLogs) | | | [Network Watcher](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkWatchers) | | [networkWatchers](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/networkWatchers) | | -| [PrivateDnsZones](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateDnsZones) | | [privateDnsZones](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateDnsZones) | | +| [PrivateDnsZones](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateDnsZones) | | [privateDnsZones](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateDnsZones) | :heavy_check_mark: | | [PrivateEndpoints](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateEndpoints) | | [privateEndpoints](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/privateEndpoints) | :heavy_check_mark: | | [Public IP Addresses](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/publicIPAddresses) | | [publicIPAddresses](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/publicIPAddresses) | :heavy_check_mark: | | [Public IP Prefixes](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/publicIPPrefixes) | | [publicIPPrefixes](https://github.com/Azure/ResourceModules/tree/main/arm/Microsoft.Network/publicIPPrefixes) | :heavy_check_mark: | From 53242e6ba6fbb0383298a5e99d91bec0567edf2d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 12 Oct 2021 20:58:47 +1100 Subject: [PATCH 29/36] added current version of roles to constructs --- .../deploy.json | 425 ++++++++++++++++++ .../parameters/parameters.json | 52 +++ .../readme.md | 68 +++ 3 files changed, 545 insertions(+) create mode 100644 constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.json create mode 100644 constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/parameters/parameters.json create mode 100644 constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.json b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.json new file mode 100644 index 0000000000..75f637eb78 --- /dev/null +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/deploy.json @@ -0,0 +1,425 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignments": { + "defaultValue": [], + "type": "array", + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the Resource Group to assign the RBAC role(s) to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role(s) to the subscription." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "cuaId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered" + } + } + }, + "variables": { + "builtInRoleNames": { + "AcrDelete": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "AcrImageSigner": "/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f", + "AcrPull": "/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", + "AcrPush": "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec", + "AcrQuarantineReader": "/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04", + "AcrQuarantineWriter": "/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608", + "API Management Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c", + "API Management Service Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61", + "API Management Service Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d", + "App Configuration Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b", + "App Configuration Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071", + "Application Insights Component Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e", + "Application Insights Snapshot Debugger": "/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b", + "Attestation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e", + "Attestation Reader": "/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3", + "Automation Job Operator": "/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f", + "Automation Operator": "/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404", + "Automation Runbook Operator": "/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5", + "Avere Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a", + "Avere Operator": "/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9", + "Azure Connected Machine Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7", + "Azure Connected Machine Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302", + "Azure Digital Twins Owner (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe", + "Azure Digital Twins Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3", + "Azure Event Hubs Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "Azure Event Hubs Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "Azure Event Hubs Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975", + "Azure Kubernetes Service Cluster Admin Role": "/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8", + "Azure Kubernetes Service Cluster User Role": "/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f", + "Azure Kubernetes Service Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8", + "Azure Maps Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204", + "Azure Maps Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa", + "Azure Sentinel Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade", + "Azure Sentinel Reader": "/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb", + "Azure Sentinel Responder": "/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056", + "Azure Service Bus Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419", + "Azure Service Bus Data Receiver": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0", + "Azure Service Bus Data Sender": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39", + "Azure Stack Registration Owner": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a", + "Backup Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b", + "Backup Operator": "/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324", + "Backup Reader": "/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912", + "Billing Reader": "/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64", + "BizTalk Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342", + "Blockchain Member Node Access (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24", + "Blueprint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4", + "Blueprint Operator": "/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090", + "CDN Endpoint Contributor": "/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45", + "CDN Endpoint Reader": "/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd", + "CDN Profile Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432", + "CDN Profile Reader": "/providers/Microsoft.Authorization/roleDefinitions/8f96442b-4075-438f-813d-ad51ab4019af", + "Classic Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f", + "Classic Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25", + "Classic Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d", + "Classic Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb", + "ClearDB MySQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe", + "Cognitive Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68", + "Cognitive Services Custom Vision Contributor": "/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3", + "Cognitive Services Custom Vision Deployment": "/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f", + "Cognitive Services Custom Vision Labeler": "/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c", + "Cognitive Services Custom Vision Reader": "/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73", + "Cognitive Services Custom Vision Trainer": "/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b", + "Cognitive Services Data Reader (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c", + "Cognitive Services QnA Maker Editor": "/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025", + "Cognitive Services QnA Maker Reader": "/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126", + "Cognitive Services User": "/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908", + "Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "Cosmos DB Account Reader Role": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8", + "Cosmos DB Operator": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa", + "CosmosBackupOperator": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb", + "Cost Management Contributor": "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430", + "Cost Management Reader": "/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3", + "Data Box Contributor": "/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5", + "Data Box Reader": "/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027", + "Data Factory Contributor": "/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5", + "Data Lake Analytics Developer": "/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88", + "Data Purger": "/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90", + "Desktop Virtualization User": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63", + "DevTest Labs User": "/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64", + "DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314", + "DocumentDB Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450", + "EventGrid EventSubscription Contributor": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443", + "EventGrid EventSubscription Reader": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405", + "Experimentation Administrator": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c", + "Experimentation Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c", + "Experimentation Reader": "/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1", + "FHIR Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd", + "FHIR Data Exporter": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843", + "FHIR Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508", + "FHIR Data Writer": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913", + "Graph Owner": "/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9", + "HDInsight Cluster Operator": "/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a", + "HDInsight Domain Services Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c", + "Hierarchy Settings Administrator": "/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d", + "Hybrid Server Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb", + "Hybrid Server Resource Administrator": "/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624", + "Integration Service Environment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8", + "Integration Service Environment Developer": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec", + "Intelligent Systems Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e", + "Key Vault Contributor": "/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395", + "Knowledge Consumer": "/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c", + "Kubernetes Cluster - Azure Arc Onboarding": "/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41", + "Lab Creator": "/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead", + "Log Analytics Contributor": "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "Log Analytics Reader": "/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893", + "Logic App Contributor": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e", + "Logic App Operator": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe", + "Managed Application Contributor Role": "/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e", + "Managed Application Operator Role": "/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae", + "Managed Applications Reader": "/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44", + "Managed Identity Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59", + "Managed Identity Operator": "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830", + "Managed Services Registration assignment Delete ": "/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46", + "Management Group Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c", + "Management Group Reader": "/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d", + "Marketplace Admin": "/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f", + "Monitoring Contributor": "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa", + "Monitoring Metrics Publisher": "/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb", + "Monitoring Reader": "/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05", + "Network Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7", + "New Relic APM Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237", + "Object Understanding Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745", + "Owner": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "Policy Insights Data Writer (Preview)": "/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84", + "Private DNS Zone Contributor": "/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f", + "Reader": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7", + "Reader and Data Access": "/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349", + "Redis Cache Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17", + "Remote Rendering Administrator": "/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e", + "Remote Rendering Client": "/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a", + "Resource Policy Contributor": "/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608", + "Scheduler Job Collections Contributor": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94", + "Search Service Contributor": "/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0", + "Security Admin": "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd", + "Security Assessment Contributor": "/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5", + "Security Manager (Legacy)": "/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10", + "Security Reader": "/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4", + "SignalR AccessKey Reader": "/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e", + "SignalR Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761", + "Site Recovery Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567", + "Site Recovery Operator": "/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca", + "Site Recovery Reader": "/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149", + "Spatial Anchors Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827", + "Spatial Anchors Account Owner": "/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c", + "Spatial Anchors Account Reader": "/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413", + "SQL DB Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec", + "SQL Managed Instance Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d", + "SQL Security Manager": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3", + "SQL Server Contributor": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437", + "Storage Account Contributor": "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab", + "Storage Account Key Operator Service Role": "/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12", + "Storage Blob Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe", + "Storage Blob Data Owner": "/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b", + "Storage Blob Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1", + "Storage Blob Delegator": "/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a", + "Storage File Data SMB Share Contributor": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb", + "Storage File Data SMB Share Elevated Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7", + "Storage File Data SMB Share Reader": "/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314", + "Storage Queue Data Contributor": "/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88", + "Storage Queue Data Message Processor": "/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed", + "Storage Queue Data Message Sender": "/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a", + "Storage Queue Data Reader": "/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925", + "Support Request Contributor": "/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e", + "Tag Contributor": "/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f", + "Traffic Manager Contributor": "/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7", + "User Access Administrator": "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9", + "Virtual Machine Administrator Login": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4", + "Virtual Machine Contributor": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c", + "Virtual Machine User Login": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52", + "Web Plan Contributor": "/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b", + "Website Contributor": "/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772", + "Workbook Contributor": "/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad", + "Workbook Reader": "/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d" + } + }, + "resources": [ + // CUA on Subscription scope + { + "condition": "[and(not(empty(parameters('cuaId'))), empty(parameters('resourceGroupName')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-01-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + // Role Assignments on Subscription scope + { + "name": "[concat(uniqueString(deployment().name, parameters('location')), 'subscriptionRbacDeplCopy-', copyIndex())]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-01-01", + "location": "[parameters('location')]", + "condition": "[and(not(empty(parameters('roleAssignments'))), empty(parameters('resourceGroupName')))]", + "dependsOn": [], + "copy": { + "name": "subscriptionRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "subscriptionId": { + "value": "[subscription().id]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "subscriptionId": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2018-09-01-preview", + "name": "[if( variables('condition'), guid( parameters('subscriptionId'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + }, + // CUA on Resource Group scope + { + "name": "cuaDeploymentOnResourceGroup", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-01-01", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[not(empty(parameters('resourceGroupName')))]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "cuaId": { + "value": "[parameters('cuaId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "cuaId": { + "type": "string" + } + }, + "resources": [ + { + "condition": "[not(empty(parameters('cuaId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat('pid-', parameters('cuaId'))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + } + ], + "outputs": { + "resourceGroupId": { + "type": "string", + "value": "[resourceGroup().id]" + } + } + } + } + }, + // Role Assignments on Resource Group scope + { + "name": "[concat('resourceGroupRbacDeplCopy-', copyIndex())]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-01-01", + "resourceGroup": "[parameters('resourceGroupName')]", + "condition": "[and(not(empty(parameters('roleAssignments'))), not(empty(parameters('resourceGroupName'))))]", + "dependsOn": [], + "copy": { + "name": "resourceGroupRbacDeplCopy", + "count": "[length(parameters('roleAssignments'))]" + }, + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "roleAssignment": { + "value": "[parameters('roleAssignments')[copyIndex()]]" + }, + "builtInRoleNames": { + "value": "[variables('builtInRoleNames')]" + }, + "resourceGroupName": { + "value": "[parameters('resourceGroupName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "roleAssignment": { + "type": "object" + }, + "builtInRoleNames": { + "type": "object" + }, + "resourceGroupName": { + "type": "string" + } + }, + "variables": { + "condition": "[and(not(empty(parameters('roleAssignment'))), contains(parameters('roleAssignment'), 'roleDefinitionIdOrName'), contains(parameters('roleAssignment'), 'principalIds'), not(empty(parameters('roleAssignment').roleDefinitionIdOrName)), not(empty(parameters('roleAssignment').principalIds)) )]" + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2020-04-01-preview", + "name": "[if( variables('condition'), guid( parameters('resourceGroupName'), array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')], parameters('roleAssignment').roleDefinitionIdOrName ), guid('dummy'))]", + "condition": "[variables('condition')]", + "copy": { + "name": "innerRbacCopy", + "count": "[length(array(parameters('roleAssignment').principalIds))]" + }, + "properties": { + "roleDefinitionId": "[if(contains(parameters('builtInRoleNames'), parameters('roleAssignment').roleDefinitionIdOrName ), parameters('builtInRoleNames')[parameters('roleAssignment').roleDefinitionIdOrName] , parameters('roleAssignment').roleDefinitionIdOrName )]", + "principalId": "[array(parameters('roleAssignment').principalIds)[copyIndex('innerRbacCopy')]]" + } + } + ] + } + } + } + ], + "functions": [], + "outputs": { + "assignmentScope": { + "type": "string", + "condition": "[not(empty(parameters('roleAssignments')))]", + "value": "[if(empty(parameters('resourceGroupName')), subscription().id , reference('cuaDeploymentOnResourceGroup').outputs.resourceGroupId.value)]", + "metadata": { + "description": "The scope (subscription or resource group) of the assignments defined in this module were created on." + } + }, + "roleAssignments": { + "type": "array", + "value": "[parameters('roleAssignments')]", + "metadata": { + "description": "Array of role assignment objects." + } + } + } +} diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/parameters/parameters.json b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/parameters/parameters.json new file mode 100644 index 0000000000..21fc381e2c --- /dev/null +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/parameters/parameters.json @@ -0,0 +1,52 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Resource Group name is optional, when provided, the Role Assignment will target the RG. When not provided the scope will be the subscription. + "resourceGroupName": { + "value": "artifacts-rg" + }, + "roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Owner", + "principalIds": [ + // "12345678-1234-1234-1234-123456780123" + // "abcd5678-1234-1234-1234-123456780123" + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + // "12345678-1234-1234-1234-123456780123" + // "abcd5678-1234-1234-1234-123456780123" + ] + }, + // // Built-in Role Definition, referenced by ID + // { + // "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // }, + // // Custom Role Definition on Resource Group scope + // { + // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/providers/Microsoft.Authorization/roleDefinitions/54597af5-2126-5a52-a2ce-4bb56e90d3c8", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // }, + // // Custom Role Definition on Subscription scope + // { + // "roleDefinitionIdOrName": "/subscriptions/62826c76-d304-46d8-a0f6-718dbdcc536c/resourceGroups/rbacTest/providers/Microsoft.Authorization/roleDefinitions/08e417aa-3d20-5a4e-94da-b2aa45bd5929", + // "principalIds": [ + // // "12345678-1234-1234-1234-123456780123" + // // "abcd5678-1234-1234-1234-123456780123" + // ] + // } + ] + } + } +} diff --git a/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md new file mode 100644 index 0000000000..b8056b76d6 --- /dev/null +++ b/constructs/Microsoft.Authorization/roleAssignments-multiRolesMultiPrincipals/readme.md @@ -0,0 +1,68 @@ +# Role Assignments + +This module deploys Role Assignments. + +## Resource types + +| Resource Type | ApiVersion | +| :---------------------------------------- | :----------------- | +| `Microsoft.Authorization/roleAssignments` | 2018-09-01-preview | +| `Microsoft.Resources/deployments` | 2018-02-01 | + +## Parameters + +| Parameter Name | Type | Default Value | Possible values | Description | +| :------------------ | :----- | :---------------------- | :---------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `roleAssignments` | array | [] | Complex structure, see below. | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | +| `resourceGroupName` | string | "" | | Optional. Name of the Resource Group to deploy the custom role in. If no Resource Group name is provided, the module deploys at subscription level, therefore registers the custom RBAC role definition in the subscription. | +| `cuaId` | string | "" | | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | +| `location` | string | [deployment().location] | | Optional. Location for all resources. | + +### Parameter Usage: `roleAssignments` + +```json +"roleAssignments": { + "value": [ + { + "roleDefinitionIdOrName": "Desktop Virtualization User", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "Reader", + "principalIds": [ + "12345678-1234-1234-1234-123456789012", // object 1 + "78945612-1234-1234-1234-123456789012" // object 2 + ] + }, + { + "roleDefinitionIdOrName": "/subscriptions/78945612-1234-1234-1234-123456789012/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11", + "principalIds": [ + "12345678-1234-1234-1234-123456789012" // object 1 + ] + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :---------------- | :----- | :---------------------------------------------------------------------------------------------------- | +| `assignmentScope` | string | The scope (subscription or resource group) of the assignments defined in this module were created on. | +| `roleAssignments` | array | Array of role assignment objects. | + +## Considerations + +This module can be deployed both at subscription or resource group level: + +- To deploy the module at resource group level, provide a valid name of an existing Resource Group in the `resourceGroupName` parameter. +- To deploy the module at the subscription level, leave the `resourceGroupName` parameter empty. + +## Additional resources + +- [What is Azure role-based access control (Azure RBAC)?](https://docs.microsoft.com/en-us/azure/role-based-access-control/overview) +- [Microsoft.Authorization roleAssignments template reference](https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2018-09-01-preview/roleassignments) +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) From 60153e50d0d5dbe7af52fc5f6bf7d146be7a2bb1 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 12 Oct 2021 21:38:57 +1100 Subject: [PATCH 30/36] updated parameter files to point to test subscription --- .../allowedLocations.parameters.json | 8 ++- .../listOfAllowedSKUs.parameters.json | 10 ++-- .../parameters/parameters.json | 2 +- .../parameters/parameters.json | 4 +- .../parameters/parameters.json | 52 +++++++++---------- .../parameters/parameters.json | 4 +- .../parameters/parameters.json | 6 +-- .../parameters/parameters.json | 4 +- 8 files changed, 49 insertions(+), 41 deletions(-) diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json index 7cc6346d8c..0c7936294d 100644 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/allowedLocations.parameters.json @@ -11,7 +11,11 @@ "parameters": { "value": { "listOfAllowedLocations": { - "value": ["westus","westus2","westeu"] + "value": [ + "westus", + "westus2", + "westeu" + ] } } }, @@ -22,7 +26,7 @@ "value": "None" }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } } diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json index 3c500189c2..a4da5a4ada 100644 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/listOfAllowedSKUs.parameters.json @@ -11,7 +11,11 @@ "parameters": { "value": { "listOfAllowedSKUs": { - "value": ["Standard_B2s","Standard_D2s_v3","Standard_D4s_v3"] + "value": [ + "Standard_B2s", + "Standard_D2s_v3", + "Standard_D4s_v3" + ] } } }, @@ -22,7 +26,7 @@ "value": "None" }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } -} \ No newline at end of file +} diff --git a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json index 2d551f6d57..2ee1cc1d49 100644 --- a/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyAssignments/parameters/parameters.json @@ -22,7 +22,7 @@ "value": "australiaeast" }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } } diff --git a/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json index 382b663aea..fbcf2e27e6 100644 --- a/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyDefinitions/parameters/parameters.json @@ -50,7 +50,7 @@ } }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } -} \ No newline at end of file +} diff --git a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json index f8874b8db3..8d1142608f 100644 --- a/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policyExemptions/parameters/parameters.json @@ -1,29 +1,29 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "policyExemptionName": { - "value": "test-policy-exempt" - }, - "displayName": { - "value": "[Test] policy exempt" - }, - "policyAssignmentId": { - "value": "/subscriptions/20d6fbfe-b049-471c-95af-1369d14d0d45/providers/Microsoft.Authorization/policyAssignments/Add-a-tag-to-resources" - }, - "exemptionCategory": { - "value": "Waiver" - }, - "metadata": { - "value": { - "category": "Security" - } - }, - "expiresOn": { - "value": "2023-10-02T03:57:00.000Z" - }, - "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyExemptionName": { + "value": "test-policy-exempt" + }, + "displayName": { + "value": "[Test] policy exempt" + }, + "policyAssignmentId": { + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/providers/Microsoft.Authorization/policyAssignments/Add-a-tag-to-resources" + }, + "exemptionCategory": { + "value": "Waiver" + }, + "metadata": { + "value": { + "category": "Security" } + }, + "expiresOn": { + "value": "2023-10-02T03:57:00.000Z" + }, + "subscriptionId": { + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } - } \ No newline at end of file + } +} diff --git a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json index d8cf7bb27c..5bdd1e7d10 100644 --- a/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/policySetDefinitions/parameters/parameters.json @@ -60,7 +60,7 @@ } }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } -} \ No newline at end of file +} diff --git a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 269cf2d938..3d4d56f8dd 100644 --- a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -5,11 +5,11 @@ "roleDefinitionIdOrName": { "value": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" }, - "principalId":{ + "principalId": { "value": "9fa1a3c1-d53b-40ea-8617-ec99e51285a3" }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } -} \ No newline at end of file +} diff --git a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json index 09dd933504..68a7d4b111 100644 --- a/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleDefinitions/parameters/parameters.json @@ -31,7 +31,7 @@ "value": [] }, "subscriptionId": { - "value": "20d6fbfe-b049-471c-95af-1369d14d0d45" + "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" } } -} \ No newline at end of file +} From 353842ed5a4c32381573d2fc8ef0485f1c5290bf Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 13 Oct 2021 17:58:27 +1100 Subject: [PATCH 31/36] updated based on feedback --- .../.bicep/nested_rbac_mg.bicep | 283 ++++++++++++------ .../.bicep/nested_rbac_rg.bicep | 278 +++++++++++------ .../.bicep/nested_rbac_sub.bicep | 281 +++++++++++------ .../parameters/parameters.json | 4 +- 4 files changed, 584 insertions(+), 262 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep index d0986d177d..70635732e9 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep @@ -6,53 +6,32 @@ param managementGroupId string param location string = deployment().location var builtInRoleNames_var = { - 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' @@ -60,127 +39,255 @@ var builtInRoleNames_var = { 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR/Web PubSub Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Managed Services Registration assignment Delete Role': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Digital Twins Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Digital Twins Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Key Vault Administrator': '/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' + 'Key Vault Crypto Officer': '/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' + 'Key Vault Crypto User': '/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' + 'Key Vault Secrets Officer': '/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' + 'Key Vault Secrets User': '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' + 'Key Vault Certificates Officer': '/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' + 'Key Vault Reader': '/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' + 'Key Vault Crypto Service Encryption User': '/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' + 'Azure Arc Kubernetes Viewer': '/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4' + 'Azure Arc Kubernetes Writer': '/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1' + 'Azure Arc Kubernetes Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2' + 'Azure Arc Kubernetes Admin': '/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96' + 'Azure Kubernetes Service RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' + 'Azure Kubernetes Service RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7' + 'Azure Kubernetes Service RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db' + 'Azure Kubernetes Service RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb' + 'Services Hub Operator': '/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b' + 'Object Understanding Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6' + 'Azure Arc Enabled Kubernetes Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd' + 'SignalR REST API Owner': '/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521' + 'Collaborative Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352' + 'Device Update Reader': '/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f' + 'Device Update Administrator': '/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a' + 'Device Update Content Administrator': '/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98' + 'Device Update Deployments Administrator': '/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432' + 'Device Update Deployments Reader': '/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f' + 'Device Update Content Reader': '/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b' + 'Cognitive Services Metrics Advisor Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a' + 'Cognitive Services Metrics Advisor User': '/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8' + 'AgFood Platform Service Reader': '/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba' + 'AgFood Platform Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728' + 'AgFood Platform Service Admin': '/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3' + 'Managed HSM contributor': '/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d' + 'Security Detonation Chamber Submitter': '/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0' + 'SignalR REST API Reader': '/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035' + 'SignalR Service Owner': '/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3' + 'Reservation Purchaser': '/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689' + 'Storage Account Backup Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1' + 'Experimentation Metric Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0' + 'Project Babylon Data Curator': '/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889' + 'Project Babylon Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446' + 'Project Babylon Data Source Administrator': '/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f' + 'Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b' + 'Desktop Virtualization Reader': '/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868' + 'Desktop Virtualization Contributor': '/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387' + 'Desktop Virtualization Workspace Contributor': '/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b' + 'Desktop Virtualization User Session Operator': '/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6' + 'Desktop Virtualization Session Host Operator': '/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408' + 'Desktop Virtualization Host Pool Reader': '/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822' + 'Desktop Virtualization Host Pool Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc' + 'Desktop Virtualization Application Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55' + 'Desktop Virtualization Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8' + 'Desktop Virtualization Workspace Reader': '/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d' + 'Disk Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24' + 'Disk Restore Operator': '/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13' + 'Disk Snapshot Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce' + 'Microsoft.Kubernetes connected cluster role': '/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f' + 'Security Detonation Chamber Submission Manager': '/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce' + 'Security Detonation Chamber Publisher': '/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500' + 'Collaborative Runtime Operator': '/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102' + 'CosmosRestoreOperator': '/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f' + 'FHIR Data Converter': '/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24' + 'Azure Sentinel Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a' + 'Quota Request Operator': '/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125' + 'EventGrid Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de' + 'Security Detonation Chamber Reader': '/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5' + 'Object Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9' + 'Object Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b' + 'WorkloadBuilder Migration Agent Role': '/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c' + 'Azure Spring Cloud Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c' + 'Cognitive Services Speech User': '/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447' + 'Cognitive Services Speech Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181' + 'Cognitive Services Face Recognizer': '/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7' + 'Media Services Account Administrator': '/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466' + 'Media Services Live Events Administrator': '/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77' + 'Media Services Media Operator': '/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c' + 'Media Services Policy Administrator': '/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae' + 'Media Services Streaming Endpoints Administrator': '/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804' + 'Stream Analytics Query Tester': '/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf' + 'AnyBuild Builder': '/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8' + 'IoT Hub Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3' + 'IoT Hub Twin Contributor': '/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c' + 'IoT Hub Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47' + 'IoT Hub Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f' + 'Test Base Reader': '/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85' + 'Search Index Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f' + 'Search Index Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7' + 'Storage Table Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6' + 'Storage Table Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' + 'DICOM Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a' + 'DICOM Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8' + 'EventGrid Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7' + 'Disk Pool Operator': '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840' + 'AzureML Data Scientist': '/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121' + 'Grafana Admin': '/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41' + 'Azure Connected SQL Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508' + 'Azure Relay Sender': '/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d' + 'Azure Relay Owner': '/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38' + 'Azure Relay Listener': '/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d' + 'Grafana Viewer': '/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769' + 'Grafana Editor': '/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f' + 'Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867' + 'Kubernetes Extension Contributor': '/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717' + 'Device Provisioning Service Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8' + 'Device Provisioning Service Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633' + 'CodeSigning Certificate Profile Signer': '/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958' + 'Azure Spring Cloud Service Registry Reader': '/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65' + 'Azure Spring Cloud Service Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1' + 'Azure Spring Cloud Config Server Reader': '/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7' + 'Azure Spring Cloud Config Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b' + 'Azure VM Managed identities restore Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd' + 'Azure Maps Search and Render Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005' + 'Azure Maps Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb' } - var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { @@ -192,5 +299,5 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev } output roleAssignmentName string = roleAssignment.name -output roleAssignmentScope string = tenantResourceId('Microsoft.Management/managementGroups',managementGroupId) -output roleAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups',managementGroupId),'Microsoft.Authorization/roleAssignments',roleAssignment.name) +output roleAssignmentScope string = tenantResourceId('Microsoft.Management/managementGroups', managementGroupId) +output roleAssignmentId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/roleAssignments', roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep index 979aa70732..d9130182a9 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep @@ -7,53 +7,32 @@ param resourceGroupName string = resourceGroup().name param location string = resourceGroup().location var builtInRoleNames_var = { - 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' @@ -61,125 +40,254 @@ var builtInRoleNames_var = { 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR/Web PubSub Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Managed Services Registration assignment Delete Role': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Digital Twins Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Digital Twins Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Key Vault Administrator': '/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' + 'Key Vault Crypto Officer': '/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' + 'Key Vault Crypto User': '/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' + 'Key Vault Secrets Officer': '/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' + 'Key Vault Secrets User': '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' + 'Key Vault Certificates Officer': '/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' + 'Key Vault Reader': '/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' + 'Key Vault Crypto Service Encryption User': '/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' + 'Azure Arc Kubernetes Viewer': '/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4' + 'Azure Arc Kubernetes Writer': '/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1' + 'Azure Arc Kubernetes Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2' + 'Azure Arc Kubernetes Admin': '/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96' + 'Azure Kubernetes Service RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' + 'Azure Kubernetes Service RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7' + 'Azure Kubernetes Service RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db' + 'Azure Kubernetes Service RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb' + 'Services Hub Operator': '/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b' + 'Object Understanding Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6' + 'Azure Arc Enabled Kubernetes Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd' + 'SignalR REST API Owner': '/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521' + 'Collaborative Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352' + 'Device Update Reader': '/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f' + 'Device Update Administrator': '/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a' + 'Device Update Content Administrator': '/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98' + 'Device Update Deployments Administrator': '/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432' + 'Device Update Deployments Reader': '/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f' + 'Device Update Content Reader': '/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b' + 'Cognitive Services Metrics Advisor Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a' + 'Cognitive Services Metrics Advisor User': '/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8' + 'AgFood Platform Service Reader': '/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba' + 'AgFood Platform Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728' + 'AgFood Platform Service Admin': '/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3' + 'Managed HSM contributor': '/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d' + 'Security Detonation Chamber Submitter': '/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0' + 'SignalR REST API Reader': '/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035' + 'SignalR Service Owner': '/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3' + 'Reservation Purchaser': '/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689' + 'Storage Account Backup Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1' + 'Experimentation Metric Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0' + 'Project Babylon Data Curator': '/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889' + 'Project Babylon Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446' + 'Project Babylon Data Source Administrator': '/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f' + 'Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b' + 'Desktop Virtualization Reader': '/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868' + 'Desktop Virtualization Contributor': '/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387' + 'Desktop Virtualization Workspace Contributor': '/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b' + 'Desktop Virtualization User Session Operator': '/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6' + 'Desktop Virtualization Session Host Operator': '/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408' + 'Desktop Virtualization Host Pool Reader': '/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822' + 'Desktop Virtualization Host Pool Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc' + 'Desktop Virtualization Application Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55' + 'Desktop Virtualization Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8' + 'Desktop Virtualization Workspace Reader': '/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d' + 'Disk Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24' + 'Disk Restore Operator': '/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13' + 'Disk Snapshot Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce' + 'Microsoft.Kubernetes connected cluster role': '/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f' + 'Security Detonation Chamber Submission Manager': '/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce' + 'Security Detonation Chamber Publisher': '/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500' + 'Collaborative Runtime Operator': '/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102' + 'CosmosRestoreOperator': '/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f' + 'FHIR Data Converter': '/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24' + 'Azure Sentinel Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a' + 'Quota Request Operator': '/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125' + 'EventGrid Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de' + 'Security Detonation Chamber Reader': '/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5' + 'Object Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9' + 'Object Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b' + 'WorkloadBuilder Migration Agent Role': '/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c' + 'Azure Spring Cloud Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c' + 'Cognitive Services Speech User': '/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447' + 'Cognitive Services Speech Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181' + 'Cognitive Services Face Recognizer': '/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7' + 'Media Services Account Administrator': '/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466' + 'Media Services Live Events Administrator': '/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77' + 'Media Services Media Operator': '/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c' + 'Media Services Policy Administrator': '/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae' + 'Media Services Streaming Endpoints Administrator': '/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804' + 'Stream Analytics Query Tester': '/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf' + 'AnyBuild Builder': '/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8' + 'IoT Hub Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3' + 'IoT Hub Twin Contributor': '/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c' + 'IoT Hub Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47' + 'IoT Hub Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f' + 'Test Base Reader': '/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85' + 'Search Index Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f' + 'Search Index Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7' + 'Storage Table Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6' + 'Storage Table Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' + 'DICOM Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a' + 'DICOM Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8' + 'EventGrid Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7' + 'Disk Pool Operator': '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840' + 'AzureML Data Scientist': '/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121' + 'Grafana Admin': '/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41' + 'Azure Connected SQL Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508' + 'Azure Relay Sender': '/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d' + 'Azure Relay Owner': '/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38' + 'Azure Relay Listener': '/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d' + 'Grafana Viewer': '/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769' + 'Grafana Editor': '/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f' + 'Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867' + 'Kubernetes Extension Contributor': '/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717' + 'Device Provisioning Service Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8' + 'Device Provisioning Service Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633' + 'CodeSigning Certificate Profile Signer': '/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958' + 'Azure Spring Cloud Service Registry Reader': '/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65' + 'Azure Spring Cloud Service Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1' + 'Azure Spring Cloud Config Server Reader': '/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7' + 'Azure Spring Cloud Config Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b' + 'Azure VM Managed identities restore Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd' + 'Azure Maps Search and Render Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005' + 'Azure Maps Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb' } var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep index 216c4c97de..bc5c782d19 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep @@ -6,53 +6,32 @@ param subscriptionId string = subscription().subscriptionId param location string = deployment().location var builtInRoleNames_var = { - 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' - 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' - 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' + 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' + 'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d' + 'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f' + 'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' 'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04' 'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608' - 'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c' 'API Management Service Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61' 'API Management Service Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d' - 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' - 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' 'Application Insights Component Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ae349356-3a1b-4a5e-921d-050484c6347e' 'Application Insights Snapshot Debugger': '/providers/Microsoft.Authorization/roleDefinitions/08954f03-6346-4c2e-81c0-ec3a5cfae23b' - 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' 'Attestation Reader': '/providers/Microsoft.Authorization/roleDefinitions/fd1bd22b-8476-40bc-a0bc-69b95687b9f3' 'Automation Job Operator': '/providers/Microsoft.Authorization/roleDefinitions/4fe576fe-1146-4730-92eb-48519fa6bf9f' - 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' 'Automation Runbook Operator': '/providers/Microsoft.Authorization/roleDefinitions/5fb5aef8-1081-4b8e-bb16-9d5d0385bab5' + 'Automation Operator': '/providers/Microsoft.Authorization/roleDefinitions/d3881f73-407a-4167-8283-e981cbba0404' 'Avere Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4f8fab4f-1852-4a58-a46a-8eaf358af14a' 'Avere Operator': '/providers/Microsoft.Authorization/roleDefinitions/c025889f-8102-4ebf-b32c-fc0c6f0c6bd9' - 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' - 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' - 'Azure Digital Twins Owner (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' - 'Azure Digital Twins Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' - 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' - 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' - 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' 'Azure Kubernetes Service Cluster Admin Role': '/providers/Microsoft.Authorization/roleDefinitions/0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8' 'Azure Kubernetes Service Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f' - 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' - 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' 'Azure Maps Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/423170ca-a8f6-4b0f-8487-9e4eb8f49bfa' - 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' - 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' - 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' - 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' - 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' - 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' 'Azure Stack Registration Owner': '/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a' 'Backup Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b' + 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' 'Backup Operator': '/providers/Microsoft.Authorization/roleDefinitions/00c29273-979b-4161-815c-10b084fb9324' 'Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/a795c7a0-d4a2-40c1-ae25-d81f01202912' - 'Billing Reader': '/providers/Microsoft.Authorization/roleDefinitions/fa23ad8b-c56e-40d8-ac0c-ce449e1d2c64' 'BizTalk Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342' - 'Blockchain Member Node Access (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/31a002a1-acaf-453e-8a5b-297c9ca1ea24' - 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' - 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' 'CDN Endpoint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/426e0c7f-0c7e-4658-b36f-ff54d6c29b45' 'CDN Endpoint Reader': '/providers/Microsoft.Authorization/roleDefinitions/871e35f6-b5c1-49cc-a043-bde969a0f2cd' 'CDN Profile Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ec156ff8-a8d1-4d15-830c-5b80698ca432' @@ -60,129 +39,257 @@ var builtInRoleNames_var = { 'Classic Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b34d265f-36f7-4a0d-a4d4-e158ca92e90f' 'Classic Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86e8f5dc-a6e9-4c67-9d15-de283e8eac25' 'Classic Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/985d6b00-f706-48f5-a6fe-d0ca12fb668d' - 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' 'ClearDB MySQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9106cda0-8a86-4e81-b686-29a22c54effe' - 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' - 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' - 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' - 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' - 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' - 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' - 'Cognitive Services Data Reader (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/b59867f0-fa02-499b-be73-45a86b5b3e1c' - 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' - 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Classic Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb' 'Cognitive Services User': '/providers/Microsoft.Authorization/roleDefinitions/a97b65f3-24c7-4388-baec-2e87135dc908' + 'Cognitive Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68' + 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' 'Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' 'Cosmos DB Account Reader Role': '/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8' - 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' - 'CosmosBackupOperator': '/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb' 'Cost Management Contributor': '/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430' 'Cost Management Reader': '/providers/Microsoft.Authorization/roleDefinitions/72fafb9e-0641-4937-9268-a91bfd8191a3' 'Data Box Contributor': '/providers/Microsoft.Authorization/roleDefinitions/add466c9-e687-43fc-8d98-dfcf8d720be5' 'Data Box Reader': '/providers/Microsoft.Authorization/roleDefinitions/028f4ed7-e2a9-465e-a8f4-9c0ffdfdc027' 'Data Factory Contributor': '/providers/Microsoft.Authorization/roleDefinitions/673868aa-7521-48a0-acc6-0f60742d39f5' - 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' 'Data Purger': '/providers/Microsoft.Authorization/roleDefinitions/150f5e0c-0603-4f03-8c7f-cf70034c4e90' - 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'Data Lake Analytics Developer': '/providers/Microsoft.Authorization/roleDefinitions/47b7735b-770e-4598-a7da-8b91488b4c88' 'DevTest Labs User': '/providers/Microsoft.Authorization/roleDefinitions/76283e04-6283-4c54-8f91-bcf1374a3c64' - 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' 'DocumentDB Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450' + 'DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/befefa01-2a29-4197-83a8-272ff33ce314' 'EventGrid EventSubscription Contributor': '/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443' 'EventGrid EventSubscription Reader': '/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405' - 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' - 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' - 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' - 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' - 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' - 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' - 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' 'Graph Owner': '/providers/Microsoft.Authorization/roleDefinitions/b60367af-1334-4454-b71e-769d9a4f83d9' - 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' 'HDInsight Domain Services Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8d8d5a11-05d3-4bda-a417-a08778121c7c' - 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' - 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' - 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' - 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' - 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' 'Intelligent Systems Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e' 'Key Vault Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f25e0fa2-a7c8-4377-a976-54943a77a395' 'Knowledge Consumer': '/providers/Microsoft.Authorization/roleDefinitions/ee361c5d-f7b5-4119-b4b6-892157c8f64c' - 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' 'Lab Creator': '/providers/Microsoft.Authorization/roleDefinitions/b97fb8bc-a8b2-4522-a38b-dd33c7e65ead' - 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' 'Log Analytics Reader': '/providers/Microsoft.Authorization/roleDefinitions/73c42c96-874c-492b-b04d-ab87d138a893' - 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' + 'Log Analytics Contributor': '/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293' 'Logic App Operator': '/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe' - 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Logic App Contributor': '/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e' 'Managed Application Operator Role': '/providers/Microsoft.Authorization/roleDefinitions/c7393b34-138c-406f-901b-d8cf2b17e6ae' 'Managed Applications Reader': '/providers/Microsoft.Authorization/roleDefinitions/b9331d33-8a36-4f8c-b097-4f54124fdb44' - 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' 'Managed Identity Operator': '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830' - 'Managed Services Registration assignment Delete ': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'Managed Identity Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e40ec5ca-96e0-45a2-b4ff-59039f2c2b59' 'Management Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d58bcaf-24a5-4b20-bdb6-eed9f69fbe4c' 'Management Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/ac63b705-f282-497d-ac71-919bf39d939d' - 'Marketplace Admin': '/providers/Microsoft.Authorization/roleDefinitions/dd920d6d-f481-47f1-b461-f338c46b2d9f' - 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' 'Monitoring Metrics Publisher': '/providers/Microsoft.Authorization/roleDefinitions/3913510d-42f4-4e42-8a64-420c390055eb' 'Monitoring Reader': '/providers/Microsoft.Authorization/roleDefinitions/43d0d8ad-25c7-4714-9337-8ba259a9fe05' 'Network Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7' + 'Monitoring Contributor': '/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa' 'New Relic APM Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5d28c62d-5b37-4476-8438-e587778df237' - 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' 'Owner': '/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' - 'Policy Insights Data Writer (Preview)': '/providers/Microsoft.Authorization/roleDefinitions/66bb4e9e-b016-4a94-8249-4c0511c2be84' - 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' 'Reader': '/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7' - 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' 'Redis Cache Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17' - 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' - 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Reader and Data Access': '/providers/Microsoft.Authorization/roleDefinitions/c12c1c16-33a1-487b-954d-41c89c60f349' 'Resource Policy Contributor': '/providers/Microsoft.Authorization/roleDefinitions/36243c78-bf99-498c-9df9-86d9f8d28608' 'Scheduler Job Collections Contributor': '/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94' 'Search Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7ca78c08-252a-4471-8644-bb5ff32d4ba0' 'Security Admin': '/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd' - 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' - 'Security Manager (Legacy)': '/providers/Microsoft.Authorization/roleDefinitions/e3d13bf0-dd5a-482e-ba6b-9b8433878d10' 'Security Reader': '/providers/Microsoft.Authorization/roleDefinitions/39bc4728-0917-49c7-9d2c-d95423bc2eb4' - 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' - 'SignalR Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' 'Site Recovery Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6670b86e-a3f7-4917-ac9b-5d6ab1be4567' 'Site Recovery Operator': '/providers/Microsoft.Authorization/roleDefinitions/494ae006-db33-4328-bf46-533a6560a3ca' + 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' 'Site Recovery Reader': '/providers/Microsoft.Authorization/roleDefinitions/dbaa88c4-0c30-4179-9fb3-46319faa6149' - 'Spatial Anchors Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8bbe83f1-e2a6-4df7-8cb4-4e04d4e5c827' 'Spatial Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/70bbe301-9835-447d-afdd-19eb3167307c' - 'Spatial Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/5d51204f-eb77-4b1c-b86a-2ec626c49413' - 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' 'SQL Managed Instance Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d' + 'SQL DB Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec' 'SQL Security Manager': '/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3' - 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' 'Storage Account Contributor': '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab' + 'SQL Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437' 'Storage Account Key Operator Service Role': '/providers/Microsoft.Authorization/roleDefinitions/81a9662b-bebf-436f-a333-f67b29880f12' 'Storage Blob Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe' 'Storage Blob Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/b7e6dc6d-f1e8-4753-8033-0f276bb0955b' 'Storage Blob Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' - 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' - 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' - 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' - 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' 'Storage Queue Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/974c5e8b-45b9-4653-ba55-5f855dd0fb88' 'Storage Queue Data Message Processor': '/providers/Microsoft.Authorization/roleDefinitions/8a0f0c08-91a1-4084-bc3d-661d67233fed' 'Storage Queue Data Message Sender': '/providers/Microsoft.Authorization/roleDefinitions/c6a89b2d-59bc-44d0-9896-0f6e12d7b80a' 'Storage Queue Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/19e7f393-937e-4f77-808e-94535e297925' 'Support Request Contributor': '/providers/Microsoft.Authorization/roleDefinitions/cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e' - 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' 'Traffic Manager Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a4b10055-b0c7-44c2-b00f-c7b5b3550cf7' - 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' 'Virtual Machine Administrator Login': '/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4' - 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' + 'User Access Administrator': '/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9' 'Virtual Machine User Login': '/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52' + 'Virtual Machine Contributor': '/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c' 'Web Plan Contributor': '/providers/Microsoft.Authorization/roleDefinitions/2cc479cb-7b4d-49a8-b449-8c00fd0f0a4b' 'Website Contributor': '/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772' - 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'Azure Service Bus Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419' + 'Azure Event Hubs Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec' + 'Attestation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/bbf86eb8-f7b4-4cce-96e4-18cddf81d86e' + 'HDInsight Cluster Operator': '/providers/Microsoft.Authorization/roleDefinitions/61ed4efc-fab3-44fd-b111-e24485cc132a' + 'Cosmos DB Operator': '/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa' + 'Hybrid Server Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/48b40c6e-82e0-4eb3-90d5-19e40f49b624' + 'Hybrid Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/5d1e5ee4-7c68-4a71-ac8b-0739630a3dfb' + 'Azure Event Hubs Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + 'Azure Event Hubs Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/2b629674-e913-4c01-ae53-ef4638d8f975' + 'Azure Service Bus Data Receiver': '/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0' + 'Azure Service Bus Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + 'Storage File Data SMB Share Reader': '/providers/Microsoft.Authorization/roleDefinitions/aba4ae5f-2193-4029-9191-0cb91df5e314' + 'Storage File Data SMB Share Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb' + 'Private DNS Zone Contributor': '/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f' + 'Storage Blob Delegator': '/providers/Microsoft.Authorization/roleDefinitions/db58b8e5-c6ad-4a2a-8342-4190687cbf4a' + 'Desktop Virtualization User': '/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63' + 'Storage File Data SMB Share Elevated Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a7264617-510b-434b-a828-9731dc254ea7' + 'Blueprint Contributor': '/providers/Microsoft.Authorization/roleDefinitions/41077137-e803-4205-871c-5a86e6a753b4' + 'Blueprint Operator': '/providers/Microsoft.Authorization/roleDefinitions/437d2ced-4a38-4302-8479-ed2bcb43d090' + 'Azure Sentinel Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ab8e14d6-4a74-4a29-9ba8-549422addade' + 'Azure Sentinel Responder': '/providers/Microsoft.Authorization/roleDefinitions/3e150937-b8fe-4cfb-8069-0eaf05ecd056' + 'Azure Sentinel Reader': '/providers/Microsoft.Authorization/roleDefinitions/8d289c81-5878-46d4-8554-54e1e3d8b5cb' 'Workbook Reader': '/providers/Microsoft.Authorization/roleDefinitions/b279062a-9be3-42a0-92ae-8b3cf002ec4d' + 'Workbook Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e8ddcd69-c73f-4f9f-9844-4100522f16ad' + 'SignalR AccessKey Reader': '/providers/Microsoft.Authorization/roleDefinitions/04165923-9d83-45d5-8227-78b77b0a687e' + 'SignalR/Web PubSub Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8cf5e20a-e4b2-4e9d-b3a1-5ceb692c2761' + 'Azure Connected Machine Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/b64e21ea-ac4e-4cdf-9dc9-5b892992bee7' + 'Azure Connected Machine Resource Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cd570a14-e51a-42ad-bac8-bafd67325302' + 'Managed Services Registration assignment Delete Role': '/providers/Microsoft.Authorization/roleDefinitions/91c1777a-f3dc-4fae-b103-61d183457e46' + 'App Configuration Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b' + 'App Configuration Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071' + 'Kubernetes Cluster - Azure Arc Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41' + 'Experimentation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a22b-edd6ce5c915c' + 'Cognitive Services QnA Maker Reader': '/providers/Microsoft.Authorization/roleDefinitions/466ccd10-b268-4a11-b098-b4849f024126' + 'Cognitive Services QnA Maker Editor': '/providers/Microsoft.Authorization/roleDefinitions/f4cc2bf9-21be-47a1-bdf1-5c5804381025' + 'Experimentation Administrator': '/providers/Microsoft.Authorization/roleDefinitions/7f646f1b-fa08-80eb-a33b-edd6ce5c915c' + 'Remote Rendering Administrator': '/providers/Microsoft.Authorization/roleDefinitions/3df8b902-2a6f-47c7-8cc5-360e9b272a7e' + 'Remote Rendering Client': '/providers/Microsoft.Authorization/roleDefinitions/d39065c4-c120-43c9-ab0a-63eed9795f0a' + 'Managed Application Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/641177b8-a67a-45b9-a033-47bc880bb21e' + 'Security Assessment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/612c2aa1-cb24-443b-ac28-3ab7272de6f5' + 'Tag Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f' + 'Integration Service Environment Developer': '/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec' + 'Integration Service Environment Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8' + 'Azure Kubernetes Service Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8' + 'Azure Digital Twins Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/d57506d4-4c8d-48b1-8587-93c323f6a5a3' + 'Azure Digital Twins Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/bcd981a7-7f74-457b-83e1-cceb9e632ffe' + 'Hierarchy Settings Administrator': '/providers/Microsoft.Authorization/roleDefinitions/350f8d15-c687-4448-8ae1-157740a3936d' + 'FHIR Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd' + 'FHIR Data Exporter': '/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843' + 'FHIR Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508' + 'FHIR Data Writer': '/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913' + 'Experimentation Reader': '/providers/Microsoft.Authorization/roleDefinitions/49632ef5-d9ac-41f4-b8e7-bbe587fa74a1' + 'Object Understanding Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/4dd61c23-6743-42fe-a388-d8bdd41cb745' + 'Azure Maps Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8f5e0ce6-4f7b-4dcf-bddf-e6f48634a204' + 'Cognitive Services Custom Vision Contributor': '/providers/Microsoft.Authorization/roleDefinitions/c1ff6cc2-c111-46fe-8896-e0ef812ad9f3' + 'Cognitive Services Custom Vision Deployment': '/providers/Microsoft.Authorization/roleDefinitions/5c4089e1-6d96-4d2f-b296-c1bc7137275f' + 'Cognitive Services Custom Vision Labeler': '/providers/Microsoft.Authorization/roleDefinitions/88424f51-ebe7-446f-bc41-7fa16989e96c' + 'Cognitive Services Custom Vision Reader': '/providers/Microsoft.Authorization/roleDefinitions/93586559-c37d-4a6b-ba08-b9f0940c2d73' + 'Cognitive Services Custom Vision Trainer': '/providers/Microsoft.Authorization/roleDefinitions/0a5ae4ab-0d65-4eeb-be61-29fc9b54394b' + 'Key Vault Administrator': '/providers/Microsoft.Authorization/roleDefinitions/00482a5a-887f-4fb3-b363-3b7fe8e74483' + 'Key Vault Crypto Officer': '/providers/Microsoft.Authorization/roleDefinitions/14b46e9e-c2b7-41b4-b07b-48a6ebf60603' + 'Key Vault Crypto User': '/providers/Microsoft.Authorization/roleDefinitions/12338af0-0e69-4776-bea7-57ae8d297424' + 'Key Vault Secrets Officer': '/providers/Microsoft.Authorization/roleDefinitions/b86a8fe4-44ce-4948-aee5-eccb2c155cd7' + 'Key Vault Secrets User': '/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6' + 'Key Vault Certificates Officer': '/providers/Microsoft.Authorization/roleDefinitions/a4417e6f-fecd-4de8-b567-7b0420556985' + 'Key Vault Reader': '/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2' + 'Key Vault Crypto Service Encryption User': '/providers/Microsoft.Authorization/roleDefinitions/e147488a-f6f5-4113-8e2d-b22465e65bf6' + 'Azure Arc Kubernetes Viewer': '/providers/Microsoft.Authorization/roleDefinitions/63f0a09d-1495-4db4-a681-037d84835eb4' + 'Azure Arc Kubernetes Writer': '/providers/Microsoft.Authorization/roleDefinitions/5b999177-9696-4545-85c7-50de3797e5a1' + 'Azure Arc Kubernetes Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/8393591c-06b9-48a2-a542-1bd6b377f6a2' + 'Azure Arc Kubernetes Admin': '/providers/Microsoft.Authorization/roleDefinitions/dffb1e0c-446f-4dde-a09f-99eb5cc68b96' + 'Azure Kubernetes Service RBAC Cluster Admin': '/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b' + 'Azure Kubernetes Service RBAC Admin': '/providers/Microsoft.Authorization/roleDefinitions/3498e952-d568-435e-9b2c-8d77e338d7f7' + 'Azure Kubernetes Service RBAC Reader': '/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db' + 'Azure Kubernetes Service RBAC Writer': '/providers/Microsoft.Authorization/roleDefinitions/a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb' + 'Services Hub Operator': '/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b' + 'Object Understanding Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/d18777c0-1514-4662-8490-608db7d334b6' + 'Azure Arc Enabled Kubernetes Cluster User Role': '/providers/Microsoft.Authorization/roleDefinitions/00493d72-78f6-4148-b6c5-d3ce8e4799dd' + 'SignalR REST API Owner': '/providers/Microsoft.Authorization/roleDefinitions/fd53cd77-2268-407a-8f46-7e7863d0f521' + 'Collaborative Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/daa9e50b-21df-454c-94a6-a8050adab352' + 'Device Update Reader': '/providers/Microsoft.Authorization/roleDefinitions/e9dba6fb-3d52-4cf0-bce3-f06ce71b9e0f' + 'Device Update Administrator': '/providers/Microsoft.Authorization/roleDefinitions/02ca0879-e8e4-47a5-a61e-5c618b76e64a' + 'Device Update Content Administrator': '/providers/Microsoft.Authorization/roleDefinitions/0378884a-3af5-44ab-8323-f5b22f9f3c98' + 'Device Update Deployments Administrator': '/providers/Microsoft.Authorization/roleDefinitions/e4237640-0e3d-4a46-8fda-70bc94856432' + 'Device Update Deployments Reader': '/providers/Microsoft.Authorization/roleDefinitions/49e2f5d2-7741-4835-8efa-19e1fe35e47f' + 'Device Update Content Reader': '/providers/Microsoft.Authorization/roleDefinitions/d1ee9a80-8b14-47f0-bdc2-f4a351625a7b' + 'Cognitive Services Metrics Advisor Administrator': '/providers/Microsoft.Authorization/roleDefinitions/cb43c632-a144-4ec5-977c-e80c4affc34a' + 'Cognitive Services Metrics Advisor User': '/providers/Microsoft.Authorization/roleDefinitions/3b20f47b-3825-43cb-8114-4bd2201156a8' + 'AgFood Platform Service Reader': '/providers/Microsoft.Authorization/roleDefinitions/7ec7ccdc-f61e-41fe-9aaf-980df0a44eba' + 'AgFood Platform Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8508508a-4469-4e45-963b-2518ee0bb728' + 'AgFood Platform Service Admin': '/providers/Microsoft.Authorization/roleDefinitions/f8da80de-1ff9-4747-ad80-a19b7f6079e3' + 'Managed HSM contributor': '/providers/Microsoft.Authorization/roleDefinitions/18500a29-7fe2-46b2-a342-b16a415e101d' + 'Security Detonation Chamber Submitter': '/providers/Microsoft.Authorization/roleDefinitions/0b555d9b-b4a7-4f43-b330-627f0e5be8f0' + 'SignalR REST API Reader': '/providers/Microsoft.Authorization/roleDefinitions/ddde6b66-c0df-4114-a159-3618637b3035' + 'SignalR Service Owner': '/providers/Microsoft.Authorization/roleDefinitions/7e4f1700-ea5a-4f59-8f37-079cfe29dce3' + 'Reservation Purchaser': '/providers/Microsoft.Authorization/roleDefinitions/f7b75c60-3036-4b75-91c3-6b41c27c1689' + 'Storage Account Backup Contributor Role': '/providers/Microsoft.Authorization/roleDefinitions/e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1' + 'Experimentation Metric Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6188b7c9-7d01-4f99-a59f-c88b630326c0' + 'Project Babylon Data Curator': '/providers/Microsoft.Authorization/roleDefinitions/9ef4ef9c-a049-46b0-82ab-dd8ac094c889' + 'Project Babylon Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/c8d896ba-346d-4f50-bc1d-7d1c84130446' + 'Project Babylon Data Source Administrator': '/providers/Microsoft.Authorization/roleDefinitions/05b7651b-dc44-475e-b74d-df3db49fae0f' + 'Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/ca6382a4-1721-4bcf-a114-ff0c70227b6b' + 'Desktop Virtualization Reader': '/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868' + 'Desktop Virtualization Contributor': '/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387' + 'Desktop Virtualization Workspace Contributor': '/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b' + 'Desktop Virtualization User Session Operator': '/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6' + 'Desktop Virtualization Session Host Operator': '/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408' + 'Desktop Virtualization Host Pool Reader': '/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822' + 'Desktop Virtualization Host Pool Contributor': '/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc' + 'Desktop Virtualization Application Group Reader': '/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55' + 'Desktop Virtualization Application Group Contributor': '/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8' + 'Desktop Virtualization Workspace Reader': '/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d' + 'Disk Backup Reader': '/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24' + 'Disk Restore Operator': '/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13' + 'Disk Snapshot Contributor': '/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce' + 'Microsoft.Kubernetes connected cluster role': '/providers/Microsoft.Authorization/roleDefinitions/5548b2cf-c94c-4228-90ba-30851930a12f' + 'Security Detonation Chamber Submission Manager': '/providers/Microsoft.Authorization/roleDefinitions/a37b566d-3efa-4beb-a2f2-698963fa42ce' + 'Security Detonation Chamber Publisher': '/providers/Microsoft.Authorization/roleDefinitions/352470b3-6a9c-4686-b503-35deb827e500' + 'Collaborative Runtime Operator': '/providers/Microsoft.Authorization/roleDefinitions/7a6f0e70-c033-4fb1-828c-08514e5f4102' + 'CosmosRestoreOperator': '/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f' + 'FHIR Data Converter': '/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24' + 'Azure Sentinel Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f4c81013-99ee-4d62-a7ee-b3f1f648599a' + 'Quota Request Operator': '/providers/Microsoft.Authorization/roleDefinitions/0e5f05e5-9ab9-446b-b98d-1e2157c94125' + 'EventGrid Contributor': '/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de' + 'Security Detonation Chamber Reader': '/providers/Microsoft.Authorization/roleDefinitions/28241645-39f8-410b-ad48-87863e2951d5' + 'Object Anchors Account Reader': '/providers/Microsoft.Authorization/roleDefinitions/4a167cdf-cb95-4554-9203-2347fe489bd9' + 'Object Anchors Account Owner': '/providers/Microsoft.Authorization/roleDefinitions/ca0835dd-bacc-42dd-8ed2-ed5e7230d15b' + 'WorkloadBuilder Migration Agent Role': '/providers/Microsoft.Authorization/roleDefinitions/d17ce0a2-0697-43bc-aac5-9113337ab61c' + 'Azure Spring Cloud Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b5537268-8956-4941-a8f0-646150406f0c' + 'Cognitive Services Speech User': '/providers/Microsoft.Authorization/roleDefinitions/f2dc8367-1007-4938-bd23-fe263f013447' + 'Cognitive Services Speech Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0e75ca1e-0464-4b4d-8b93-68208a576181' + 'Cognitive Services Face Recognizer': '/providers/Microsoft.Authorization/roleDefinitions/9894cab4-e18a-44aa-828b-cb588cd6f2d7' + 'Media Services Account Administrator': '/providers/Microsoft.Authorization/roleDefinitions/054126f8-9a2b-4f1c-a9ad-eca461f08466' + 'Media Services Live Events Administrator': '/providers/Microsoft.Authorization/roleDefinitions/532bc159-b25e-42c0-969e-a1d439f60d77' + 'Media Services Media Operator': '/providers/Microsoft.Authorization/roleDefinitions/e4395492-1534-4db2-bedf-88c14621589c' + 'Media Services Policy Administrator': '/providers/Microsoft.Authorization/roleDefinitions/c4bba371-dacd-4a26-b320-7250bca963ae' + 'Media Services Streaming Endpoints Administrator': '/providers/Microsoft.Authorization/roleDefinitions/99dba123-b5fe-44d5-874c-ced7199a5804' + 'Stream Analytics Query Tester': '/providers/Microsoft.Authorization/roleDefinitions/1ec5b3c1-b17e-4e25-8312-2acb3c3c5abf' + 'AnyBuild Builder': '/providers/Microsoft.Authorization/roleDefinitions/a2138dac-4907-4679-a376-736901ed8ad8' + 'IoT Hub Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/b447c946-2db7-41ec-983d-d8bf3b1c77e3' + 'IoT Hub Twin Contributor': '/providers/Microsoft.Authorization/roleDefinitions/494bdba2-168f-4f31-a0a1-191d2f7c028c' + 'IoT Hub Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4ea46cd5-c1b2-4a8e-910b-273211f9ce47' + 'IoT Hub Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/4fc6c259-987e-4a07-842e-c321cc9d413f' + 'Test Base Reader': '/providers/Microsoft.Authorization/roleDefinitions/15e0f5a1-3450-4248-8e25-e2afe88a9e85' + 'Search Index Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/1407120a-92aa-4202-b7e9-c0e197c71c8f' + 'Search Index Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/8ebe5a00-799e-43f5-93ac-243d3dce84a7' + 'Storage Table Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/76199698-9eea-4c19-bc75-cec21354c6b6' + 'Storage Table Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3' + 'DICOM Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a' + 'DICOM Data Owner': '/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8' + 'EventGrid Data Sender': '/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7' + 'Disk Pool Operator': '/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840' + 'AzureML Data Scientist': '/providers/Microsoft.Authorization/roleDefinitions/f6c7c914-8db3-469d-8ca1-694a8f32e121' + 'Grafana Admin': '/providers/Microsoft.Authorization/roleDefinitions/22926164-76b3-42b3-bc55-97df8dab3e41' + 'Azure Connected SQL Server Onboarding': '/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508' + 'Azure Relay Sender': '/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d' + 'Azure Relay Owner': '/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38' + 'Azure Relay Listener': '/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d' + 'Grafana Viewer': '/providers/Microsoft.Authorization/roleDefinitions/60921a7e-fef1-4a43-9b16-a26c52ad4769' + 'Grafana Editor': '/providers/Microsoft.Authorization/roleDefinitions/a79a5197-3a5c-4973-a920-486035ffd60f' + 'Automation Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f353d9bd-d4a6-484e-a77a-8050b599b867' + 'Kubernetes Extension Contributor': '/providers/Microsoft.Authorization/roleDefinitions/85cb6faf-e071-4c9b-8136-154b5a04f717' + 'Device Provisioning Service Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/10745317-c249-44a1-a5ce-3a4353c0bbd8' + 'Device Provisioning Service Data Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dfce44e4-17b7-4bd1-a6d1-04996ec95633' + 'CodeSigning Certificate Profile Signer': '/providers/Microsoft.Authorization/roleDefinitions/2837e146-70d7-4cfd-ad55-7efa6464f958' + 'Azure Spring Cloud Service Registry Reader': '/providers/Microsoft.Authorization/roleDefinitions/cff1b556-2399-4e7e-856d-a8f754be7b65' + 'Azure Spring Cloud Service Registry Contributor': '/providers/Microsoft.Authorization/roleDefinitions/f5880b48-c26d-48be-b172-7927bfa1c8f1' + 'Azure Spring Cloud Config Server Reader': '/providers/Microsoft.Authorization/roleDefinitions/d04c6db6-4947-4782-9e91-30a88feb7be7' + 'Azure Spring Cloud Config Server Contributor': '/providers/Microsoft.Authorization/roleDefinitions/a06f5c24-21a7-4e1a-aa2b-f19eb6684f5b' + 'Azure VM Managed identities restore Contributor': '/providers/Microsoft.Authorization/roleDefinitions/6ae96244-5829-4925-a7d3-5975537d91dd' + 'Azure Maps Search and Render Data Reader': '/providers/Microsoft.Authorization/roleDefinitions/6be48352-4f82-47c9-ad5e-0acacefdb005' + 'Azure Maps Contributor': '/providers/Microsoft.Authorization/roleDefinitions/dba33070-676a-4fb0-87fa-064dc56ff7fb' } var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) - resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { name: guid(subscriptionId, roleDefinitionId_var, location, principalId) properties: { @@ -193,4 +300,4 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-prev output roleAssignmentName string = roleAssignment.name output roleAssignmentScope string = subscription().id -output roleAssignmentId string = subscriptionResourceId(subscriptionId,'Microsoft.Authorization/roleAssignments',roleAssignment.name) +output roleAssignmentId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/roleAssignments', roleAssignment.name) diff --git a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 3d4d56f8dd..4a5eec9219 100644 --- a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "roleDefinitionIdOrName": { - "value": "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + "value": "Reader" }, "principalId": { - "value": "9fa1a3c1-d53b-40ea-8617-ec99e51285a3" + "value": "12345678-1234-1234-1234-123456780123" }, "subscriptionId": { "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" From e3c62c7e787e010e4635405c83d6967efab6ba99 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Wed, 13 Oct 2021 18:25:56 +1100 Subject: [PATCH 32/36] updated to test principal ID --- .../roleAssignments/parameters/parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json index 4a5eec9219..6b5b5e81ff 100644 --- a/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json +++ b/arm/Microsoft.Authorization/roleAssignments/parameters/parameters.json @@ -6,7 +6,7 @@ "value": "Reader" }, "principalId": { - "value": "12345678-1234-1234-1234-123456780123" + "value": "5545f7a0-51f4-46af-b3b4-baecf5176a56" }, "subscriptionId": { "value": "8629be3b-96bc-482d-a04b-ffff597c65a2" From 2613a92cf9884589a746723ff64ff196d79abdcd Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sun, 17 Oct 2021 21:31:03 +1100 Subject: [PATCH 33/36] Updated VNET Peering Template --- .../virtualNetworkPeerings/deploy.bicep | 43 +++++++++---- .../parameters/parameters.json | 30 ++++----- .../virtualNetworkPeerings/readme.md | 61 +++++++----------- .../.bicep/nested_cuaId.bicep | 0 .../virtualNetworkPeerings/deploy.bicep | 30 +++++++++ .../parameters/parameters.json | 22 +++++++ .../virtualNetworkPeerings/readme.md | 62 +++++++++++++++++++ 7 files changed, 185 insertions(+), 63 deletions(-) create mode 100644 constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/.bicep/nested_cuaId.bicep create mode 100644 constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/deploy.bicep create mode 100644 constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/parameters/parameters.json create mode 100644 constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/readme.md diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep index 23b49f2162..7b33138c07 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep @@ -1,8 +1,26 @@ +@description('Optional. The Name of Vnet Peering resource. If not provided, value will be localVnetName-remoteVnetName') +param peeringName string = '${localVnetName}-${last(split(remoteVirtualNetworkId, '/'))}' + @description('Required. The Name of the Virtual Network to add the peering to.') param localVnetName string -@description('Optional. Optional. The list of remote networks to peering peer with, including the configuration.') -param peeringConfigurations array = [] +@description('Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID') +param remoteVirtualNetworkId string + +@description('Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true') +param allowForwardedTraffic bool = true + +@description('Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false') +param allowGatewayTransit bool = false + +@description('Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true') +param allowVirtualNetworkAccess bool = true + +@description('Optional. If we need to verify the provisioning state of the remote gateway. Default is true') +param doNotVerifyRemoteGateways bool = true + +@description('Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false') +param useRemoteGateways bool = false @description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') param cuaId string = '' @@ -12,19 +30,20 @@ module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { params: {} } -resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2020-05-01' = [for peeringConfiguration in peeringConfigurations: { - name: contains(peeringConfiguration, 'peeringName') ? '${localVnetName}/${peeringConfiguration.peeringName}' : '${localVnetName}/${localVnetName}-${last(split(peeringConfiguration.remoteVirtualNetworkId, '/'))}' +resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2021-02-01' = { + name: '${localVnetName}/${peeringName}' properties: { - allowVirtualNetworkAccess: contains(peeringConfiguration, 'allowVirtualNetworkAccess') ? peeringConfiguration.allowVirtualNetworkAccess : true - allowForwardedTraffic: contains(peeringConfiguration, 'allowForwardedTraffic') ? peeringConfiguration.allowForwardedTraffic : true - allowGatewayTransit: contains(peeringConfiguration, 'allowGatewayTransit') ? peeringConfiguration.allowGatewayTransit : false - useRemoteGateways: contains(peeringConfiguration, 'useRemoteGateways') ? peeringConfiguration.useRemoteGateways : true + allowForwardedTraffic: allowForwardedTraffic + allowGatewayTransit: allowGatewayTransit + allowVirtualNetworkAccess: allowVirtualNetworkAccess + doNotVerifyRemoteGateways: doNotVerifyRemoteGateways + useRemoteGateways: useRemoteGateways remoteVirtualNetwork: { - id: peeringConfiguration.remoteVirtualNetworkId + id: remoteVirtualNetworkId } } -}] +} output virtualNetworkPeeringResourceGroup string = resourceGroup().name -output virtualNetworkPeeringNames array = [for i in range(0, length(peeringConfigurations)): virtualNetworkPeering[i].name] -output localVirtualNetworkPeeringResourceIds array = [for peeringConfiguration in peeringConfigurations: resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', localVnetName, (contains(peeringConfiguration, 'peeringName') ? peeringConfiguration.peeringName : '${localVnetName}-${last(split(peeringConfiguration.remoteVirtualNetworkId, '/'))}')) ] +output virtualNetworkPeeringName string = virtualNetworkPeering.name +output virtualNetworkPeeringResourceId string = virtualNetworkPeering.id diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json index 5a56f2cee9..9697f29551 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json @@ -3,20 +3,22 @@ "contentVersion": "1.0.0.0", "parameters": { "localVnetName": { - "value": "sxx-az-vnet-weu-x-004" + "value": "vn-auea-prod-hub-01" }, - "peeringConfigurations": { - "value": [ - { - "peeringName": "sxx-az-peering-weu-x-002-sxx-az-peering-weu-x-003", - "remoteVirtualNetworkId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003", - "useRemoteGateways": false - }, - { - "remoteVirtualNetworkId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/peeringNetwork", - "useRemoteGateways": false - } - ] + "remoteVirtualNetworkId": { + "value": "/subscriptions/20d6fbfe-b049-471c-95af-1369d14d0d45/resourceGroups/rg-auea-prod-network-01/providers/Microsoft.Network/virtualNetworks/vn-auea-prod-pls-01" + }, + "allowForwardedTraffic": { + "value": true + }, + "allowGatewayTransit": { + "value": false + }, + "allowVirtualNetworkAccess": { + "value": true + }, + "useRemoteGateways": { + "value": false } } -} \ No newline at end of file +} diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md index 3cfd096df6..475eb8075e 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md @@ -4,51 +4,39 @@ This template deploys Virtual Network Peering. ## Resource types -| Resource Type | Api Version | -| :-- | :-- | -| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2020-05-01 | -| `Microsoft.Resources/deployments` | 2019-10-01 | +| Resource Type | Api Version | +| :--------------------------------------------------------- | :---------- | +| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2021-02-01 | +| `Microsoft.Resources/deployments` | 2019-10-01 | ### Resource dependency -The following resources are required to be able to deploy this resource. +The following resources are required to be able to deploy this resource. -- *None* +- Local Virtual Network (Identified by the `localVnetName` parameter). +- Remote Virtual Network (Identified by the `remoteVirtualNetworkId` parameter) ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :-- | :-- | :-- | :-- | :-- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | -| `peeringConfigurations` | array | Optional. The list of remote networks to peering peer with, including the configuration. See below for instructions. | System.Object[] | | - -### Parameter Usage: `peeringConfigurations` - -Array containing multiple objects for different VNETs to peer with. - -```json -"peeringConfigurations": { - "value": [ - { - "peeringName": "sxx-az-peering-weu-x-002-sxx-az-peering-weu-x-003", // Optional - "remoteVirtualNetworkId": "/subscriptions//resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/", - "allowVirtualNetworkAccess": false, // Optional. Default true - "allowForwardedTraffic": false, // Optional. Default true - "allowGatewayTransit": false, // Optional. Default false - "useRemoteGateways": false // Optional. Default true - } - ] -} -``` +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-------------------------- | :----- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------- | :-------------- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `peeringName` | string | Optional. The Name of Vnet Peering resource. If not provided, value will be localVnetName-remoteVnetName | | | +| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | +| `remoteVirtualNetworkId` | string | Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | | | +| `allowForwardedTraffic` | bool | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | `true` | | +| `allowGatewayTransit` | bool | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | `false` | | +| `allowVirtualNetworkAccess` | bool | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | `true` | | +| `doNotVerifyRemoteGateways` | bool | Optional. If we need to verify the provisioning state of the remote gateway. Default is true'. | `true` | | +| `useRemoteGateways` | bool | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false | `false` | | ## Outputs -| Output Name | Type | Description | -| :-- | :-- | :-- | -| `localVirtualNetworkPeeringResourceIds` | array | | -| `virtualNetworkPeeringNames` | array | | -| `virtualNetworkPeeringResourceGroup` | string | | +| Output Name | Type | Description | +| :------------------------------------- | :----- | :---------------------------------------- | +| `localVirtualNetworkPeeringResourceId` | array | The Resource ID of the VNet Peering | +| `virtualNetworkPeeringName` | array | The name of the VNet Peering | +| `virtualNetworkPeeringResourceGroup` | string | The Resource Group name of the local VNet | ## Considerations @@ -56,7 +44,6 @@ Array containing multiple objects for different VNETs to peer with. ## Additional resources -- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) - [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) - [VirtualNetworks/VirtualNetworkPeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/virtualNetworks/virtualNetworkPeerings) -- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) \ No newline at end of file +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/.bicep/nested_cuaId.bicep b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/.bicep/nested_cuaId.bicep new file mode 100644 index 0000000000..e69de29bb2 diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/deploy.bicep b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/deploy.bicep new file mode 100644 index 0000000000..23b49f2162 --- /dev/null +++ b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/deploy.bicep @@ -0,0 +1,30 @@ +@description('Required. The Name of the Virtual Network to add the peering to.') +param localVnetName string + +@description('Optional. Optional. The list of remote networks to peering peer with, including the configuration.') +param peeringConfigurations array = [] + +@description('Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered') +param cuaId string = '' + +module pid_cuaId './.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { + name: 'pid-${cuaId}' + params: {} +} + +resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2020-05-01' = [for peeringConfiguration in peeringConfigurations: { + name: contains(peeringConfiguration, 'peeringName') ? '${localVnetName}/${peeringConfiguration.peeringName}' : '${localVnetName}/${localVnetName}-${last(split(peeringConfiguration.remoteVirtualNetworkId, '/'))}' + properties: { + allowVirtualNetworkAccess: contains(peeringConfiguration, 'allowVirtualNetworkAccess') ? peeringConfiguration.allowVirtualNetworkAccess : true + allowForwardedTraffic: contains(peeringConfiguration, 'allowForwardedTraffic') ? peeringConfiguration.allowForwardedTraffic : true + allowGatewayTransit: contains(peeringConfiguration, 'allowGatewayTransit') ? peeringConfiguration.allowGatewayTransit : false + useRemoteGateways: contains(peeringConfiguration, 'useRemoteGateways') ? peeringConfiguration.useRemoteGateways : true + remoteVirtualNetwork: { + id: peeringConfiguration.remoteVirtualNetworkId + } + } +}] + +output virtualNetworkPeeringResourceGroup string = resourceGroup().name +output virtualNetworkPeeringNames array = [for i in range(0, length(peeringConfigurations)): virtualNetworkPeering[i].name] +output localVirtualNetworkPeeringResourceIds array = [for peeringConfiguration in peeringConfigurations: resourceId('Microsoft.Network/virtualNetworks/virtualNetworkPeerings', localVnetName, (contains(peeringConfiguration, 'peeringName') ? peeringConfiguration.peeringName : '${localVnetName}-${last(split(peeringConfiguration.remoteVirtualNetworkId, '/'))}')) ] diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/parameters/parameters.json b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/parameters/parameters.json new file mode 100644 index 0000000000..5a56f2cee9 --- /dev/null +++ b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/parameters/parameters.json @@ -0,0 +1,22 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "localVnetName": { + "value": "sxx-az-vnet-weu-x-004" + }, + "peeringConfigurations": { + "value": [ + { + "peeringName": "sxx-az-peering-weu-x-002-sxx-az-peering-weu-x-003", + "remoteVirtualNetworkId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003", + "useRemoteGateways": false + }, + { + "remoteVirtualNetworkId": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/peeringNetwork", + "useRemoteGateways": false + } + ] + } + } +} \ No newline at end of file diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/readme.md b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/readme.md new file mode 100644 index 0000000000..3cfd096df6 --- /dev/null +++ b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/readme.md @@ -0,0 +1,62 @@ +# VirtualNetworkPeering + +This template deploys Virtual Network Peering. + +## Resource types + +| Resource Type | Api Version | +| :-- | :-- | +| `Microsoft.Network/virtualNetworks/virtualNetworkPeerings` | 2020-05-01 | +| `Microsoft.Resources/deployments` | 2019-10-01 | + +### Resource dependency + +The following resources are required to be able to deploy this resource. + +- *None* + +## Parameters + +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-- | :-- | :-- | :-- | :-- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | +| `peeringConfigurations` | array | Optional. The list of remote networks to peering peer with, including the configuration. See below for instructions. | System.Object[] | | + +### Parameter Usage: `peeringConfigurations` + +Array containing multiple objects for different VNETs to peer with. + +```json +"peeringConfigurations": { + "value": [ + { + "peeringName": "sxx-az-peering-weu-x-002-sxx-az-peering-weu-x-003", // Optional + "remoteVirtualNetworkId": "/subscriptions//resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/", + "allowVirtualNetworkAccess": false, // Optional. Default true + "allowForwardedTraffic": false, // Optional. Default true + "allowGatewayTransit": false, // Optional. Default false + "useRemoteGateways": false // Optional. Default true + } + ] +} +``` + +## Outputs + +| Output Name | Type | Description | +| :-- | :-- | :-- | +| `localVirtualNetworkPeeringResourceIds` | array | | +| `virtualNetworkPeeringNames` | array | | +| `virtualNetworkPeeringResourceGroup` | string | | + +## Considerations + +- *None* + +## Additional resources + +- [Use tags to organize your Azure resources](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags) +- [Azure Resource Manager template reference](https://docs.microsoft.com/en-us/azure/templates/) +- [VirtualNetworks/VirtualNetworkPeerings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2020-05-01/virtualNetworks/virtualNetworkPeerings) +- [Deployments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Resources/2019-10-01/deployments) \ No newline at end of file From 1563519f057d566743e2fdd3e5cf3bc5b6e9a127 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sun, 17 Oct 2021 21:43:14 +1100 Subject: [PATCH 34/36] updated output from testing --- .../virtualNetworkPeerings/deploy.bicep | 2 +- .../virtualNetworkPeerings/readme.md | 32 +++++++++---------- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep index 7b33138c07..9ea0c289ad 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep @@ -46,4 +46,4 @@ resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetwork output virtualNetworkPeeringResourceGroup string = resourceGroup().name output virtualNetworkPeeringName string = virtualNetworkPeering.name -output virtualNetworkPeeringResourceId string = virtualNetworkPeering.id +output localVirtualNetworkPeeringResourceId string = virtualNetworkPeering.id diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md index 475eb8075e..3b7a0f4bb2 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md @@ -18,25 +18,25 @@ The following resources are required to be able to deploy this resource. ## Parameters -| Parameter Name | Type | Description | DefaultValue | Possible values | -| :-------------------------- | :----- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------- | :-------------- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `peeringName` | string | Optional. The Name of Vnet Peering resource. If not provided, value will be localVnetName-remoteVnetName | | | -| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | -| `remoteVirtualNetworkId` | string | Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | | | -| `allowForwardedTraffic` | bool | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | `true` | | -| `allowGatewayTransit` | bool | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | `false` | | -| `allowVirtualNetworkAccess` | bool | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | `true` | | -| `doNotVerifyRemoteGateways` | bool | Optional. If we need to verify the provisioning state of the remote gateway. Default is true'. | `true` | | -| `useRemoteGateways` | bool | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false | `false` | | +| Parameter Name | Type | Description | DefaultValue | Possible values | +| :-------------------------- | :----- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------- | :-------------- | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | +| `peeringName` | string | Optional. The Name of Vnet Peering resource. If not provided, value will be localVnetName-remoteVnetName | localVnetName-remoteVnetName | | +| `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | +| `remoteVirtualNetworkId` | string | Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | | | +| `allowForwardedTraffic` | bool | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | `true` | | +| `allowGatewayTransit` | bool | Optional. If gateway links can be used in remote virtual networking to link to this virtual network. Default is false. | `false` | | +| `allowVirtualNetworkAccess` | bool | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | `true` | | +| `doNotVerifyRemoteGateways` | bool | Optional. If we need to verify the provisioning state of the remote gateway. Default is true'. | `true` | | +| `useRemoteGateways` | bool | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false | `false` | | ## Outputs -| Output Name | Type | Description | -| :------------------------------------- | :----- | :---------------------------------------- | -| `localVirtualNetworkPeeringResourceId` | array | The Resource ID of the VNet Peering | -| `virtualNetworkPeeringName` | array | The name of the VNet Peering | -| `virtualNetworkPeeringResourceGroup` | string | The Resource Group name of the local VNet | +| Output Name | Type | Description | +| :----------------------------------- | :----- | :---------------------------------------- | +| `virtualNetworkPeeringResourceId` | array | The Resource ID of the VNet Peering | +| `virtualNetworkPeeringName` | array | The name of the VNet Peering | +| `virtualNetworkPeeringResourceGroup` | string | The Resource Group name of the local VNet | ## Considerations From 2d0ffb7ea542aeac1a17c10825bb16c22781de46 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sun, 17 Oct 2021 21:51:48 +1100 Subject: [PATCH 35/36] Updated virtual network peering bicep module --- .../virtualNetworkPeerings/deploy.bicep | 4 ++-- .../virtualNetworkPeerings/readme.md | 14 +++++++------- .../.bicep/nested_cuaId.bicep | 0 .../deploy.bicep | 0 .../parameters/parameters.json | 0 .../readme.md | 0 6 files changed, 9 insertions(+), 9 deletions(-) rename constructs/Microsoft.Network/virtualNetwork/{virtualNetworkPeerings => virtualNetworkPeerings-multiRemoteVnets}/.bicep/nested_cuaId.bicep (100%) rename constructs/Microsoft.Network/virtualNetwork/{virtualNetworkPeerings => virtualNetworkPeerings-multiRemoteVnets}/deploy.bicep (100%) rename constructs/Microsoft.Network/virtualNetwork/{virtualNetworkPeerings => virtualNetworkPeerings-multiRemoteVnets}/parameters/parameters.json (100%) rename constructs/Microsoft.Network/virtualNetwork/{virtualNetworkPeerings => virtualNetworkPeerings-multiRemoteVnets}/readme.md (100%) diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep index 9ea0c289ad..4b85896967 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/deploy.bicep @@ -1,4 +1,4 @@ -@description('Optional. The Name of Vnet Peering resource. If not provided, value will be localVnetName-remoteVnetName') +@description('Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName') param peeringName string = '${localVnetName}-${last(split(remoteVirtualNetworkId, '/'))}' @description('Required. The Name of the Virtual Network to add the peering to.') @@ -46,4 +46,4 @@ resource virtualNetworkPeering 'Microsoft.Network/virtualNetworks/virtualNetwork output virtualNetworkPeeringResourceGroup string = resourceGroup().name output virtualNetworkPeeringName string = virtualNetworkPeering.name -output localVirtualNetworkPeeringResourceId string = virtualNetworkPeering.id +output virtualNetworkPeeringResourceId string = virtualNetworkPeering.id diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md index 3b7a0f4bb2..b620dc294f 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/readme.md @@ -20,8 +20,7 @@ The following resources are required to be able to deploy this resource. | Parameter Name | Type | Description | DefaultValue | Possible values | | :-------------------------- | :----- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------- | :-------------- | -| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | -| `peeringName` | string | Optional. The Name of Vnet Peering resource. If not provided, value will be localVnetName-remoteVnetName | localVnetName-remoteVnetName | | +| `peeringName` | string | Optional. The Name of Vnet Peering resource. If not provided, default value will be localVnetName-remoteVnetName | localVnetName-remoteVnetName | | | `localVnetName` | string | Required. The Name of the Virtual Network to add the peering to. | | | | `remoteVirtualNetworkId` | string | Required. The Resource ID of the VNet that is this Local VNet is being peered to. Should be in the format of a Resource ID. | | | | `allowForwardedTraffic` | bool | Optional. Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. Default is true. | `true` | | @@ -29,14 +28,15 @@ The following resources are required to be able to deploy this resource. | `allowVirtualNetworkAccess` | bool | Optional. Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. Default is true. | `true` | | | `doNotVerifyRemoteGateways` | bool | Optional. If we need to verify the provisioning state of the remote gateway. Default is true'. | `true` | | | `useRemoteGateways` | bool | Optional. If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. Default is false | `false` | | +| `cuaId` | string | Optional. Customer Usage Attribution id (GUID). This GUID must be previously registered | | | ## Outputs -| Output Name | Type | Description | -| :----------------------------------- | :----- | :---------------------------------------- | -| `virtualNetworkPeeringResourceId` | array | The Resource ID of the VNet Peering | -| `virtualNetworkPeeringName` | array | The name of the VNet Peering | -| `virtualNetworkPeeringResourceGroup` | string | The Resource Group name of the local VNet | +| Output Name | Type | Description | +| :----------------------------------- | :----- | :-------------------------------------------------------------------- | +| `virtualNetworkPeeringResourceId` | array | The Resource ID of the Local VNet Peering created in this deployment. | +| `virtualNetworkPeeringName` | array | The name of the VNet Peering resource . | +| `virtualNetworkPeeringResourceGroup` | string | The Resource Group name of the local VNet Peering resource/. | ## Considerations diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/.bicep/nested_cuaId.bicep b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/.bicep/nested_cuaId.bicep similarity index 100% rename from constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/.bicep/nested_cuaId.bicep rename to constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/.bicep/nested_cuaId.bicep diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/deploy.bicep b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/deploy.bicep similarity index 100% rename from constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/deploy.bicep rename to constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/deploy.bicep diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/parameters/parameters.json b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/parameters/parameters.json similarity index 100% rename from constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/parameters/parameters.json rename to constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/parameters/parameters.json diff --git a/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/readme.md b/constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/readme.md similarity index 100% rename from constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings/readme.md rename to constructs/Microsoft.Network/virtualNetwork/virtualNetworkPeerings-multiRemoteVnets/readme.md From d0442532ddd181e84b70f504b0c9d01d8af08888 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sun, 17 Oct 2021 22:12:48 +1100 Subject: [PATCH 36/36] restored parameters to iacs --- .../virtualNetworkPeerings/parameters/parameters.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json index 9697f29551..e1bf28608c 100644 --- a/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json +++ b/arm/Microsoft.Network/virtualNetworksResources/virtualNetworkPeerings/parameters/parameters.json @@ -3,10 +3,10 @@ "contentVersion": "1.0.0.0", "parameters": { "localVnetName": { - "value": "vn-auea-prod-hub-01" + "value": "sxx-az-vnet-weu-x-002" }, "remoteVirtualNetworkId": { - "value": "/subscriptions/20d6fbfe-b049-471c-95af-1369d14d0d45/resourceGroups/rg-auea-prod-network-01/providers/Microsoft.Network/virtualNetworks/vn-auea-prod-pls-01" + "value": "/subscriptions/8629be3b-96bc-482d-a04b-ffff597c65a2/resourceGroups/dependencies-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-weu-x-003" }, "allowForwardedTraffic": { "value": true