-
Notifications
You must be signed in to change notification settings - Fork 381
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add multi RBAC assignment support (#3865)
## Description add multi RBAC assignment support ## Pipeline Reference <!-- Insert your Pipeline Status Badge below --> | Pipeline | | -------- | | [![avm.ptn.authorization.policy-assignment](https://github.com/jtracey93/bicep-registry-modules/actions/workflows/avm.ptn.authorization.policy-assignment.yml/badge.svg?branch=feat%2Fadd-multi-rbac-assignment-support)](https://github.com/jtracey93/bicep-registry-modules/actions/workflows/avm.ptn.authorization.policy-assignment.yml) | ## Type of Change <!-- Use the checkboxes [x] on the options that are relevant. --> - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings <!-- Please keep up to date with the contribution guide at https://aka.ms/avm/contribute/bicep -->
- Loading branch information
Showing
8 changed files
with
299 additions
and
49 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
29 changes: 29 additions & 0 deletions
29
...thorization/policy-assignment/modules/management-group-additional-rbac-asi-def-loop.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
targetScope = 'managementGroup' | ||
|
||
@sys.description('Optional. An array of additional management group IDs to assign RBAC to for the policy assignment if it has an identity.') | ||
param managementGroupsIDsToAssignRbacTo array = [] | ||
|
||
@sys.description('Required. The ID Of the Azure Role Definition that is used to assign permissions to the identity. You need to provide the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.') | ||
param roleDefinitionId string | ||
|
||
@sys.description('Optional. Location for all resources.') | ||
param location string = deployment().location | ||
|
||
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope.') | ||
@maxLength(24) | ||
param name string | ||
|
||
@sys.description('Required. The managed identity principal ID associated with the policy assignment.') | ||
param policyAssignmentIdentityId string | ||
|
||
module additionalManagementGroupRoleAssignmentsPerMG 'management-group-additional-rbac-asi.bicep' = [ | ||
for mg in managementGroupsIDsToAssignRbacTo: { | ||
name: '${uniqueString(deployment().name, location, roleDefinitionId, name)}-PolicyAssignment-MG-Module-Additional-RBAC' | ||
scope: managementGroup(mg) | ||
params: { | ||
name: name | ||
policyAssignmentIdentityId: policyAssignmentIdentityId | ||
roleDefinitionId: roleDefinitionId | ||
} | ||
} | ||
] |
23 changes: 23 additions & 0 deletions
23
avm/ptn/authorization/policy-assignment/modules/management-group-additional-rbac-asi.bicep
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
targetScope = 'managementGroup' | ||
|
||
@sys.description('Required. The ID Of the Azure Role Definition that is used to assign permissions to the identity. You need to provide the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.') | ||
param roleDefinitionId string | ||
|
||
@sys.description('Optional. Location for all resources.') | ||
param location string = deployment().location | ||
|
||
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope.') | ||
@maxLength(24) | ||
param name string | ||
|
||
@sys.description('Required. The managed identity principal ID associated with the policy assignment.') | ||
param policyAssignmentIdentityId string | ||
|
||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { | ||
name: guid(managementGroup().id, roleDefinitionId, location, name) | ||
properties: { | ||
roleDefinitionId: roleDefinitionId | ||
principalId: policyAssignmentIdentityId | ||
principalType: 'ServicePrincipal' | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters