-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathcore.bicep
More file actions
93 lines (86 loc) · 4.62 KB
/
core.bicep
File metadata and controls
93 lines (86 loc) · 4.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
targetScope='subscription'
@minLength(1)
param miPrincipalId string
@minLength(1)
param miName string
@minLength(1)
param userGroupPrincipalID string
@minLength(1)
param userGroupName string
// See: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
var roleID = {
contributor: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
kvSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6'
kvSecretsOfficer: 'b86a8fe4-44ce-4948-aee5-eccb2c155cd7'
rbacAdmin: 'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
storageBlobDataContributor: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
storageQueueDataContributor: '974c5e8b-45b9-4653-ba55-5f855dd0fb88'
azureRelaySender: '26baccc8-eea7-41f1-98f4-1762cc7f685d'
}
// Define role assignments for managed identity
var miRoleAssignments = [
{
roleName: 'contributor'
roleId: roleID.contributor
description: 'Contributor access to subscription'
}
{
roleName: 'kvSecretsUser'
roleId: roleID.kvSecretsUser
description: 'kvSecretsUser access to subscription'
}
{
roleName: 'rbacAdmin'
roleId: roleID.rbacAdmin
description: 'Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets User, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'
// Optional properties - only rbacAdmin has a condition
condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}}))'
conditionVersion: '2.0'
}
]
// Define role assignments for Entra ID group
var groupRoleAssignments = [
{
roleName: 'contributor'
roleId: roleID.contributor
description: 'Contributor access to subscription'
}
{
roleName: 'kvSecretsOfficer'
roleId: roleID.kvSecretsOfficer
description: 'kvSecretsOfficer access to subscription'
}
{
roleName: 'rbacAdmin'
roleId: roleID.rbacAdmin
description: 'Role Based Access Control Administrator access to subscription. Can assign Key Vault Secrets Officer, Storage Blob Data Contributor, and Storage Queue Data Contributor roles.'
// Optional properties - only rbacAdmin has a condition
condition: '((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/write\'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}})) AND ((!(ActionMatches{\'Microsoft.Authorization/roleAssignments/delete\'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {${roleID.kvSecretsUser}, ${roleID.kvSecretsOfficer}, ${roleID.storageBlobDataContributor}, ${roleID.storageQueueDataContributor}, ${roleID.azureRelaySender}}))'
conditionVersion: '2.0'
}
]
// This creates one resource for each item in the miRoleAssignments array
resource miRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in miRoleAssignments: {
// guid() ensures unique names for each assignment
name: guid(subscription().subscriptionId, miPrincipalId, role.roleName)
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role.roleId)
principalId: miPrincipalId
description: '${miName} ${role.description}'
// Conditionally include the 'condition' property only if it exists in the role object
condition: role.?condition
conditionVersion: role.?conditionVersion
}
}]
// This creates one resource for each item in the groupRoleAssignments array
resource groupRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for role in groupRoleAssignments: {
name: guid(subscription().subscriptionId, userGroupPrincipalID, role.roleName)
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', role.roleId)
principalId: userGroupPrincipalID
principalType: 'Group'
description: '${userGroupName} ${role.description}'
condition: role.?condition
conditionVersion: role.?conditionVersion
}
}]