From e226c1814481417b9a032a2d0286343da8540ebc Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 4 Dec 2021 18:06:16 +1100 Subject: [PATCH 1/6] updated Principal Type and Readme --- .../roleAssignments/.bicep/nested_rbac_mg.bicep | 14 +++++++++++--- .../roleAssignments/.bicep/nested_rbac_rg.bicep | 14 +++++++++++--- .../roleAssignments/.bicep/nested_rbac_sub.bicep | 14 +++++++++++--- .../roleAssignments/deploy.bicep | 16 ++++++++++++---- .../roleAssignments/readme.md | 6 +++--- 5 files changed, 48 insertions(+), 16 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep index 9d3b60b125..f3e6f8a47e 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep @@ -24,8 +24,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' @@ -313,7 +321,7 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(managementGroupId, roleDefinitionId_var, principalId) properties: { roleDefinitionId: roleDefinitionId_var diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep index 590e8107fd..a311ccd0be 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep @@ -27,8 +27,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' @@ -316,7 +324,7 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(subscriptionId, resourceGroupName, roleDefinitionId_var, principalId) properties: { roleDefinitionId: roleDefinitionId_var diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep index 58dab39398..cc668a16a1 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep @@ -24,8 +24,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' @@ -313,7 +321,7 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(subscriptionId, roleDefinitionId_var, principalId) properties: { roleDefinitionId: roleDefinitionId_var diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index 9f79c4fad1..9d1a7be00e 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -33,8 +33,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' module roleAssignment_mg '.bicep/nested_rbac_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-roleAssignment-mg-Module' @@ -44,7 +52,7 @@ module roleAssignment_mg '.bicep/nested_rbac_mg.bicep' = if (!empty(managementGr principalId: principalId managementGroupId: managementGroupId description: !empty(description) ? description : '' - principalType: !empty(principalType) ? principalType : '' + principalType: principalType delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' @@ -59,7 +67,7 @@ module roleAssignment_sub '.bicep/nested_rbac_sub.bicep' = if (empty(managementG principalId: principalId subscriptionId: subscriptionId description: !empty(description) ? description : '' - principalType: !empty(principalType) ? principalType : '' + principalType: principalType delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index ed38221b01..b5b9ea0ce6 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -6,7 +6,7 @@ This module deploys Role Assignments. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | ## Parameters @@ -19,7 +19,7 @@ This module deploys Role Assignments. | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | `ServicePrincipal` | | Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device" | +| `principalType` | string | '' | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | | `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | | `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `subscriptionId` | string | | | Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | @@ -75,4 +75,4 @@ This module can be deployed at the management group, subscription or resource gr ## Template references -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) From ca81ae502675b2c8427335c97b4786770dc1d59e Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 4 Dec 2021 18:11:24 +1100 Subject: [PATCH 2/6] updated the main --- arm/Microsoft.Authorization/roleAssignments/deploy.bicep | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index 9d1a7be00e..96f606831f 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -52,7 +52,7 @@ module roleAssignment_mg '.bicep/nested_rbac_mg.bicep' = if (!empty(managementGr principalId: principalId managementGroupId: managementGroupId description: !empty(description) ? description : '' - principalType: principalType + principalType: !empty(principalType) ? principalType : '' delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' @@ -67,7 +67,7 @@ module roleAssignment_sub '.bicep/nested_rbac_sub.bicep' = if (empty(managementG principalId: principalId subscriptionId: subscriptionId description: !empty(description) ? description : '' - principalType: principalType + principalType: !empty(principalType) ? principalType : '' delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : '' conditionVersion: conditionVersion condition: !empty(condition) ? condition : '' From 8c0ad0285c6571c162d86bbd39817c9522590628 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 4 Dec 2021 19:07:41 +1100 Subject: [PATCH 3/6] supported Any() for principalType to supress validation for null --- .../roleAssignments/.bicep/nested_rbac_mg.bicep | 2 +- .../roleAssignments/.bicep/nested_rbac_rg.bicep | 2 +- .../roleAssignments/.bicep/nested_rbac_sub.bicep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep index f3e6f8a47e..fb9f4d766e 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep @@ -327,7 +327,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: !empty(principalType) ? principalType : null + principalType: any(!empty(principalType) ? principalType : null) delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep index a311ccd0be..708b03b263 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep @@ -330,7 +330,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: !empty(principalType) ? principalType : null + principalType: any(!empty(principalType) ? principalType : null) delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep index cc668a16a1..1c1fe26851 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep @@ -327,7 +327,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: !empty(principalType) ? principalType : null + principalType: any(!empty(principalType) ? principalType : null) delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null From 1650b752cbcc62316e1e50e019d9f0c1fa87b230 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 4 Dec 2021 19:23:03 +1100 Subject: [PATCH 4/6] updated readme to a known API version as the latest does not exist yet --- arm/Microsoft.Authorization/roleAssignments/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index b5b9ea0ce6..f902e97124 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -75,4 +75,4 @@ This module can be deployed at the management group, subscription or resource gr ## Template references -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-08-01-preview/roleAssignments) From 127c0b7a97a98172095d67e8f54d7cc72380ee24 Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Sat, 4 Dec 2021 19:39:32 +1100 Subject: [PATCH 5/6] updated for linter --- arm/Microsoft.Authorization/roleAssignments/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index f902e97124..85d6286130 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -14,7 +14,7 @@ This module deploys Role Assignments. | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | From 80651396684e1d0ab471b0b4f36fe819559e180d Mon Sep 17 00:00:00 2001 From: Ahmad Abdalla <28486158+ahmadabdalla@users.noreply.github.com> Date: Tue, 7 Dec 2021 08:52:35 +1100 Subject: [PATCH 6/6] moved any() to the principal type instead of all --- .../roleAssignments/.bicep/nested_rbac_mg.bicep | 2 +- .../roleAssignments/.bicep/nested_rbac_rg.bicep | 2 +- .../roleAssignments/.bicep/nested_rbac_sub.bicep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep index fb9f4d766e..a09e9a0f10 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep @@ -327,7 +327,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: any(!empty(principalType) ? principalType : null) + principalType: !empty(principalType) ? any(principalType) : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep index 708b03b263..1c23649108 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep @@ -330,7 +330,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: any(!empty(principalType) ? principalType : null) + principalType: !empty(principalType) ? any(principalType) : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep index 1c1fe26851..e4cf93f54c 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep @@ -327,7 +327,7 @@ resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-prev roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: any(!empty(principalType) ? principalType : null) + principalType: !empty(principalType) ? any(principalType) : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null