From 783aaea58d7f90025f1ee9a1d1dfb4babbef4b55 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Thu, 19 Dec 2024 15:49:43 +0000 Subject: [PATCH] feat: add `avm.ptn.authorization.role-definition` (#3931) ## Description Closes https://github.com/Azure/Azure-Verified-Modules/issues/1757 ## Pipeline Reference | Pipeline | | -------- | | [![avm.ptn.authorization.role-definition](https://github.com/jtracey93/bicep-registry-modules/actions/workflows/avm.ptn.authorization.role-definition.yml/badge.svg?branch=users%2Fjtracey93%2Ffeat%2Fadd-role-def-ptn-module)](https://github.com/jtracey93/bicep-registry-modules/actions/workflows/avm.ptn.authorization.role-definition.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- .github/CODEOWNERS | 1 + .github/ISSUE_TEMPLATE/avm_module_issue.yml | 1 + .../avm.ptn.authorization.role-definition.yml | 88 +++++ .../authorization/role-definition/README.md | 302 ++++++++++++++++++ .../authorization/role-definition/main.bicep | 99 ++++++ .../authorization/role-definition/main.json | 151 +++++++++ .../tests/e2e/mg.default/main.test.bicep | 31 ++ ...ubscription_owner.alz_role_definition.json | 27 ++ .../tests/e2e/mg.loadJson/main.test.bicep | 36 +++ .../role-definition/version.json | 7 + 10 files changed, 743 insertions(+) create mode 100644 .github/workflows/avm.ptn.authorization.role-definition.yml create mode 100644 avm/ptn/authorization/role-definition/README.md create mode 100644 avm/ptn/authorization/role-definition/main.bicep create mode 100644 avm/ptn/authorization/role-definition/main.json create mode 100644 avm/ptn/authorization/role-definition/tests/e2e/mg.default/main.test.bicep create mode 100644 avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/lib/subscription_owner.alz_role_definition.json create mode 100644 avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/main.test.bicep create mode 100644 avm/ptn/authorization/role-definition/version.json diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 063fd12220..8ee91f8110 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -9,6 +9,7 @@ /avm/ptn/authorization/policy-assignment/ @Azure/avm-ptn-authorization-policyassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/resource-role-assignment/ @Azure/avm-ptn-authorization-resourceroleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep /avm/ptn/authorization/role-assignment/ @Azure/avm-ptn-authorization-roleassignment-module-owners-bicep @Azure/avm-module-reviewers-bicep +/avm/ptn/authorization/role-definition/ @Azure/avm-ptn-authorization-roledefinition-module-owners-bicep @Azure/avm-module-reviewers-bicep #/avm/ptn/avd-lza/insights/ @Azure/avm-ptn-avd-lza-insights-module-owners-bicep @Azure/avm-module-reviewers-bicep #/avm/ptn/avd-lza/management-plane/ @Azure/avm-ptn-avd-lza-managementplane-module-owners-bicep @Azure/avm-module-reviewers-bicep #/avm/ptn/avd-lza/networking/ @Azure/avm-ptn-avd-lza-networking-module-owners-bicep @Azure/avm-module-reviewers-bicep diff --git a/.github/ISSUE_TEMPLATE/avm_module_issue.yml b/.github/ISSUE_TEMPLATE/avm_module_issue.yml index 9d10003279..d926a8e242 100644 --- a/.github/ISSUE_TEMPLATE/avm_module_issue.yml +++ b/.github/ISSUE_TEMPLATE/avm_module_issue.yml @@ -44,6 +44,7 @@ body: - "avm/ptn/authorization/policy-assignment" - "avm/ptn/authorization/resource-role-assignment" - "avm/ptn/authorization/role-assignment" + - "avm/ptn/authorization/role-definition" # - "avm/ptn/avd-lza/insights" # - "avm/ptn/avd-lza/management-plane" # - "avm/ptn/avd-lza/networking" diff --git a/.github/workflows/avm.ptn.authorization.role-definition.yml b/.github/workflows/avm.ptn.authorization.role-definition.yml new file mode 100644 index 0000000000..3026e36233 --- /dev/null +++ b/.github/workflows/avm.ptn.authorization.role-definition.yml @@ -0,0 +1,88 @@ +name: "avm.ptn.authorization.role-definition" + +on: + workflow_dispatch: + inputs: + staticValidation: + type: boolean + description: "Execute static validation" + required: false + default: true + deploymentValidation: + type: boolean + description: "Execute deployment validation" + required: false + default: true + removeDeployment: + type: boolean + description: "Remove deployed module" + required: false + default: true + customLocation: + type: string + description: "Default location overwrite (e.g., eastus)" + required: false + push: + branches: + - main + paths: + - ".github/actions/templates/avm-**" + - ".github/workflows/avm.template.module.yml" + - ".github/workflows/avm.ptn.authorization.role-definition.yml" + - "avm/ptn/authorization/role-definition/**" + - "avm/utilities/pipelines/**" + - "!avm/utilities/pipelines/platform/**" + - "!*/**/README.md" + +env: + modulePath: "avm/ptn/authorization/role-definition" + workflowPath: ".github/workflows/avm.ptn.authorization.role-definition.yml" + +concurrency: + group: ${{ github.workflow }} + +jobs: + ########################### + # Initialize pipeline # + ########################### + job_initialize_pipeline: + runs-on: ubuntu-latest + name: "Initialize pipeline" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Set input parameters to output variables" + id: get-workflow-param + uses: ./.github/actions/templates/avm-getWorkflowInput + with: + workflowPath: "${{ env.workflowPath}}" + - name: "Get module test file paths" + id: get-module-test-file-paths + uses: ./.github/actions/templates/avm-getModuleTestFiles + with: + modulePath: "${{ env.modulePath }}" + outputs: + workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }} + moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }} + psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }} + modulePath: "${{ env.modulePath }}" + + ############################## + # Call reusable workflow # + ############################## + call-workflow-passing-data: + name: "Run" + permissions: + id-token: write # For OIDC + contents: write # For release tags + needs: + - job_initialize_pipeline + uses: ./.github/workflows/avm.template.module.yml + with: + workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" + moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" + modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" + secrets: inherit diff --git a/avm/ptn/authorization/role-definition/README.md b/avm/ptn/authorization/role-definition/README.md new file mode 100644 index 0000000000..c6339e3760 --- /dev/null +++ b/avm/ptn/authorization/role-definition/README.md @@ -0,0 +1,302 @@ +# avm/ptn/authorization/role-definition `[Authorization/RoleDefinition]` + +This module deploys a custom role definition to a Management Group. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Usage examples](#Usage-examples) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Authorization/roleDefinitions` | [2022-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-05-01-preview/roleDefinitions) | + +## Usage examples + +The following section provides usage examples for the module, which were used to validate and deploy the module successfully. For a full reference, please review the module's test folder in its repository. + +>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order. + +>**Note**: To reference the module, please use the following syntax `br/public:avm/ptn/authorization/role-definition:`. + +- [Role Definition (Management Group scope) - Required Parameters](#example-1-role-definition-management-group-scope---required-parameters) +- [Role Definition (Management Group scope) - Using loadJsonContent](#example-2-role-definition-management-group-scope---using-loadjsoncontent) + +### Example 1: _Role Definition (Management Group scope) - Required Parameters_ + +This module deploys a Role Definition at a Management Group scope using minimal parameters. + + +
+ +via Bicep module + +```bicep +module roleDefinition 'br/public:avm/ptn/authorization/role-definition:' = { + name: 'roleDefinitionDeployment' + params: { + // Required parameters + name: 'rbac-custom-role-reader' + // Non-required parameters + actions: [ + '*/read' + ] + location: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rbac-custom-role-reader" + }, + // Non-required parameters + "actions": { + "value": [ + "*/read" + ] + }, + "location": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/role-definition:' + +// Required parameters +param name = 'rbac-custom-role-reader' +// Non-required parameters +param actions = [ + '*/read' +] +param location = '' +``` + +
+

+ +### Example 2: _Role Definition (Management Group scope) - Using loadJsonContent_ + +This module deploys a Role Definition at a Management Group scope using loadJsonContent to load a custom role definition stored in a JSON file. + + +

+ +via Bicep module + +```bicep +module roleDefinition 'br/public:avm/ptn/authorization/role-definition:' = { + name: 'roleDefinitionDeployment' + params: { + // Required parameters + name: '' + // Non-required parameters + actions: '' + dataActions: '' + description: '' + location: '' + notActions: '' + notDataActions: '' + roleName: '' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + // Non-required parameters + "actions": { + "value": "" + }, + "dataActions": { + "value": "" + }, + "description": { + "value": "" + }, + "location": { + "value": "" + }, + "notActions": { + "value": "" + }, + "notDataActions": { + "value": "" + }, + "roleName": { + "value": "" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/ptn/authorization/role-definition:' + +// Required parameters +param name = '' +// Non-required parameters +param actions = '' +param dataActions = '' +param description = '' +param location = '' +param notActions = '' +param notDataActions = '' +param roleName = '' +``` + +
+

+ +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the custom role definition. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`actions`](#parameter-actions) | array | The permission actions of the custom role definition. | +| [`assignableScopes`](#parameter-assignablescopes) | array | The assignable scopes of the custom role definition. If not specified, the management group being targeted in the parameter managementGroupName will be used. | +| [`dataActions`](#parameter-dataactions) | array | The permission data actions of the custom role definition. | +| [`description`](#parameter-description) | string | The description of the custom role definition. | +| [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`location`](#parameter-location) | string | The location of the telemetry deployment to be created. Default is location of deployment. | +| [`notActions`](#parameter-notactions) | array | The permission not actions of the custom role definition. | +| [`notDataActions`](#parameter-notdataactions) | array | The permission not data actions of the custom role definition. | +| [`roleName`](#parameter-rolename) | string | The display name of the custom role definition. If not specified, the name will be used. | + +### Parameter: `name` + +The name of the custom role definition. + +- Required: Yes +- Type: string + +### Parameter: `actions` + +The permission actions of the custom role definition. + +- Required: No +- Type: array + +### Parameter: `assignableScopes` + +The assignable scopes of the custom role definition. If not specified, the management group being targeted in the parameter managementGroupName will be used. + +- Required: No +- Type: array + +### Parameter: `dataActions` + +The permission data actions of the custom role definition. + +- Required: No +- Type: array + +### Parameter: `description` + +The description of the custom role definition. + +- Required: No +- Type: string + +### Parameter: `enableTelemetry` + +Enable/Disable usage telemetry for module. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `location` + +The location of the telemetry deployment to be created. Default is location of deployment. + +- Required: No +- Type: string +- Default: `[deployment().location]` + +### Parameter: `notActions` + +The permission not actions of the custom role definition. + +- Required: No +- Type: array + +### Parameter: `notDataActions` + +The permission not data actions of the custom role definition. + +- Required: No +- Type: array + +### Parameter: `roleName` + +The display name of the custom role definition. If not specified, the name will be used. + +- Required: No +- Type: string + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `managementGroupCustomRoleDefinitionIds` | object | An object containing the resourceId, roleDefinitionId, and displayName of the custom role definition. | +| `roleDefinitionIdName` | string | The ID/name of the custom role definition created. | + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/ptn/authorization/role-definition/main.bicep b/avm/ptn/authorization/role-definition/main.bicep new file mode 100644 index 0000000000..f30b7279bf --- /dev/null +++ b/avm/ptn/authorization/role-definition/main.bicep @@ -0,0 +1,99 @@ +metadata name = 'avm/ptn/authorization/role-definition' +metadata description = 'This module deploys a custom role definition to a Management Group.' +metadata owner = '@jtracey93' + +targetScope = 'managementGroup' + +@sys.description('Optional. Enable/Disable usage telemetry for module.') +param enableTelemetry bool = true + +@sys.description('Optional. The location of the telemetry deployment to be created. Default is location of deployment.') +param location string = deployment().location + +@sys.description('Required. The name of the custom role definition.') +param name string + +@sys.description('Optional. The description of the custom role definition.') +param description string? + +@sys.description('Optional. The assignable scopes of the custom role definition. If not specified, the management group being targeted in the parameter managementGroupName will be used.') +param assignableScopes array? + +@sys.description('Optional. The permission actions of the custom role definition.') +param actions array? + +@sys.description('Optional. The permission not actions of the custom role definition.') +param notActions array? + +@sys.description('Optional. The permission data actions of the custom role definition.') +param dataActions array? + +@sys.description('Optional. The permission not data actions of the custom role definition.') +param notDataActions array? + +@sys.description('Optional. The display name of the custom role definition. If not specified, the name will be used.') +param roleName string? + +// ============ // +// Variables // +// ============ // + +var roleDefNameFinalGuid = contains(name, '-') && length(name) == 36 && length(split(name, '-')) == 5 + ? name + : guid(name) + +// ============== // +// Resources // +// ============== // + +#disable-next-line no-deployments-resources +resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) { + name: '46d3xbcp.ptn.authorization-roledefinition.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + location: location + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' + } + } + } + } +} + +resource res_roleDefinition_mg 'Microsoft.Authorization/roleDefinitions@2022-05-01-preview' = { + name: roleDefNameFinalGuid + properties: { + roleName: roleName ?? roleDefNameFinalGuid + description: description + type: 'CustomRole' + assignableScopes: !empty(assignableScopes) ? assignableScopes : [managementGroup().id] + permissions: [ + { + actions: actions ?? [] + notActions: notActions ?? [] + dataActions: dataActions ?? [] + notDataActions: notDataActions ?? [] + } + ] + } +} + +// ============ // +// Outputs // +// ============ // + +@sys.description('An object containing the resourceId, roleDefinitionId, and displayName of the custom role definition.') +output managementGroupCustomRoleDefinitionIds object = { + resourceId: res_roleDefinition_mg.id + roleDefinitionIdName: res_roleDefinition_mg.name + displayName: res_roleDefinition_mg.properties.roleName +} + +@sys.description('The ID/name of the custom role definition created.') +output roleDefinitionIdName string = res_roleDefinition_mg.id diff --git a/avm/ptn/authorization/role-definition/main.json b/avm/ptn/authorization/role-definition/main.json new file mode 100644 index 0000000000..99bc7e49f7 --- /dev/null +++ b/avm/ptn/authorization/role-definition/main.json @@ -0,0 +1,151 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "4698417116112222192" + }, + "name": "avm/ptn/authorization/role-definition", + "description": "This module deploys a custom role definition to a Management Group.", + "owner": "@jtracey93" + }, + "parameters": { + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]", + "metadata": { + "description": "Optional. The location of the telemetry deployment to be created. Default is location of deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the custom role definition." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the custom role definition." + } + }, + "assignableScopes": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The assignable scopes of the custom role definition. If not specified, the management group being targeted in the parameter managementGroupName will be used." + } + }, + "actions": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The permission actions of the custom role definition." + } + }, + "notActions": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The permission not actions of the custom role definition." + } + }, + "dataActions": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The permission data actions of the custom role definition." + } + }, + "notDataActions": { + "type": "array", + "nullable": true, + "metadata": { + "description": "Optional. The permission not data actions of the custom role definition." + } + }, + "roleName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The display name of the custom role definition. If not specified, the name will be used." + } + } + }, + "variables": { + "roleDefNameFinalGuid": "[if(and(and(contains(parameters('name'), '-'), equals(length(parameters('name')), 36)), equals(length(split(parameters('name'), '-')), 5)), parameters('name'), guid(parameters('name')))]" + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.ptn.authorization-roledefinition.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "location": "[parameters('location')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "res_roleDefinition_mg": { + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2022-05-01-preview", + "name": "[variables('roleDefNameFinalGuid')]", + "properties": { + "roleName": "[coalesce(parameters('roleName'), variables('roleDefNameFinalGuid'))]", + "description": "[parameters('description')]", + "type": "CustomRole", + "assignableScopes": "[if(not(empty(parameters('assignableScopes'))), parameters('assignableScopes'), createArray(managementGroup().id))]", + "permissions": [ + { + "actions": "[coalesce(parameters('actions'), createArray())]", + "notActions": "[coalesce(parameters('notActions'), createArray())]", + "dataActions": "[coalesce(parameters('dataActions'), createArray())]", + "notDataActions": "[coalesce(parameters('notDataActions'), createArray())]" + } + ] + } + } + }, + "outputs": { + "managementGroupCustomRoleDefinitionIds": { + "type": "object", + "metadata": { + "description": "An object containing the resourceId, roleDefinitionId, and displayName of the custom role definition." + }, + "value": { + "resourceId": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleDefinitions', variables('roleDefNameFinalGuid'))]", + "roleDefinitionIdName": "[variables('roleDefNameFinalGuid')]", + "displayName": "[reference('res_roleDefinition_mg').roleName]" + } + }, + "roleDefinitionIdName": { + "type": "string", + "metadata": { + "description": "The ID/name of the custom role definition created." + }, + "value": "[extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleDefinitions', variables('roleDefNameFinalGuid'))]" + } + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/role-definition/tests/e2e/mg.default/main.test.bicep b/avm/ptn/authorization/role-definition/tests/e2e/mg.default/main.test.bicep new file mode 100644 index 0000000000..13b27a9c9e --- /dev/null +++ b/avm/ptn/authorization/role-definition/tests/e2e/mg.default/main.test.bicep @@ -0,0 +1,31 @@ +targetScope = 'managementGroup' +metadata name = 'Role Definition (Management Group scope) - Required Parameters' +metadata description = 'This module deploys a Role Definition at a Management Group scope using minimal parameters.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'acrdmgmin' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: '${namePrefix}-rbac-custom-role-reader' + actions: [ + '*/read' + ] + location: resourceLocation + } +} diff --git a/avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/lib/subscription_owner.alz_role_definition.json b/avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/lib/subscription_owner.alz_role_definition.json new file mode 100644 index 0000000000..b09d16ac6b --- /dev/null +++ b/avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/lib/subscription_owner.alz_role_definition.json @@ -0,0 +1,27 @@ +{ + "name": "402344ce-48c4-5ac1-9320-16726050f964", + "type": "Microsoft.Authorization/roleDefinitions", + "apiVersion": "2018-01-01-preview", + "properties": { + "roleName": "Subscription-Owner", + "description": "Delegated role for subscription owner generated from subscription Owner role", + "type": "CustomRole", + "permissions": [ + { + "actions": [ + "*" + ], + "notActions": [ + "Microsoft.Authorization/*/write", + "Microsoft.Network/vpnGateways/*", + "Microsoft.Network/expressRouteCircuits/*", + "Microsoft.Network/routeTables/write", + "Microsoft.Network/vpnSites/*" + ], + "dataActions": [], + "notDataActions": [] + } + ], + "assignableScopes": [] + } +} \ No newline at end of file diff --git a/avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/main.test.bicep b/avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/main.test.bicep new file mode 100644 index 0000000000..19cbe4a35a --- /dev/null +++ b/avm/ptn/authorization/role-definition/tests/e2e/mg.loadJson/main.test.bicep @@ -0,0 +1,36 @@ +targetScope = 'managementGroup' +metadata name = 'Role Definition (Management Group scope) - Using loadJsonContent' +metadata description = 'This module deploys a Role Definition at a Management Group scope using loadJsonContent to load a custom role definition stored in a JSON file.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'acrdmgjson' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +// ============== // +// Test Execution // +// ============== // + +param customRoleDefinitionJson object = loadJsonContent('lib/subscription_owner.alz_role_definition.json') + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}' + params: { + name: customRoleDefinitionJson.name + roleName: customRoleDefinitionJson.properties.roleName + description: customRoleDefinitionJson.properties.description + actions: customRoleDefinitionJson.properties.permissions[0].actions + notActions: customRoleDefinitionJson.properties.permissions[0].notActions + dataActions: customRoleDefinitionJson.properties.permissions[0].dataActions + notDataActions: customRoleDefinitionJson.properties.permissions[0].notDataActions + location: resourceLocation + } +} diff --git a/avm/ptn/authorization/role-definition/version.json b/avm/ptn/authorization/role-definition/version.json new file mode 100644 index 0000000000..8def869ede --- /dev/null +++ b/avm/ptn/authorization/role-definition/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.1", + "pathFilters": [ + "./main.json" + ] +}