Adding RBAC constrained delegation parameters and guidance in the roleAssignment modules

[sebassem]

Adding the conditions parameters to the roleAssignment modules with examples and guidance to enable customers to securely delegate role assignments.

Related Issues/Work Items

Fixes AB#36173

Breaking Changes

N/A

Testing Evidence

As part of this Pull Request I have

• [X] Read the Contribution Guide and ensured this PR is compliant with the guide
• [X] Ensured the resource API versions in .bicep file/s I am adding/editing are using the latest API version possible
• [X] Checked for duplicate Pull Requests
• [ ] Associated it with relevant GitHub Issues
• [X] (ALZ Bicep Core Team Only) Associated it with relevant ADO Items
• [X] Ensured my code/branch is up-to-date with the latest changes in the main branch
• [X] Performed testing and provided evidence.
• [ ] Updated one or more of the following tests (if required)
  • Unit
  • Linting
  • E2E (End-To-End)
  • ValidateAzCloud (Base validation in Azure Cloud)
  • ValidateMcCloud (Base validation in Azure China Cloud)
• [X] Updated relevant and associated documentation (e.g. Contribution Guide, Module READMEs, Wiki Docs etc.)
• [ ] If relevant, created or updated Code Tours here

[jtracey93]

/azp run validateazcloud

[azure-pipelines[bot]]

Azure Pipelines successfully started running 1 pipeline(s).

[oZakari]

/azp run validateazcloud

[azure-pipelines[bot]]

Azure Pipelines successfully started running 1 pipeline(s).

[sebassem]

LGTM

@sebassem great work. Just to confirm we aren't adding the condition building simplification to these modules right, just the sub vending ones?

Correct, just showing how to use the condition parameter in the roleAssignment modules

[oZakari]

@sebassem Im looking into that pipeline error but it's unrelated to your changes so nothing to do on your end.

[oZakari]

@sebassem Looking into it closer, it is related to these changes. 😞 The policy assignment management group module references the role assignment modules. In main currently, json is approx 3.4 MB and with your changes it comes out to 4.2 MB. As far as I'm aware the only way we can get around this is by splitting up the module deployments (likely the ALZ Default Policy Assignments module). However, I'd rather avoid this if at all possible due to it being messy and requiring a lot of work and primarily with the AVM transition work in play.

[oZakari]

If I remove the customer telemetry module references, I can get it down to 3.5 MB. Will think on it a bit more and update here but thinking that's going to be the easiest/quickest option. Ping me if any options come to your mind as well.

[sebassem]

If I remove the customer telemetry module references, I can get it down to 3.5 MB. Will think on it a bit more and update here but thinking that's going to be the easiest/quickest option. Ping me if any options come to your mind as well.

Maybe its the long description of the parameter. I just pushed a commit to reduce the description, if that solved it, then I can move the instructions to generate a condition in md file ?

[oZakari]

Awesome. thanks! That got us to 4.011 and tested locally and no error so let's go with that approach for now.

I am going to hit it again with the policy refresh, but good enough for now.

[sebassem]

Awesome. thanks! That got us to 4.011 and tested locally and no error so let's go with that approach for now.

I am going to hit it again with the policy refresh, but good enough for now.

Just pushed the changes with having the instructions in the readme

[oZakari]

/azp run validateazcloud

[azure-pipelines[bot]]

Azure Pipelines successfully started running 1 pipeline(s).