search

Azure / Community-Policy

This repo is for Microsoft Azure customers and Microsoft teams to collaborate in making custom policies.
MIT License
615 stars 322 forks source link

Incorerct role definition ID for policy "Deploy Resource Lock on RGs - tag exclusion"? #412

Closed kamfaima closed 7 months ago

kamfaima commented 8 months ago

For the policy definition policyDefinitions/General/deploy-resource-lock-on-rgs-tag-exclusion/azurepolicy.json, is the role defintion correct?

In the code, it has:

"/providers/Microsoft.Authorization/roleDefinitions/35b50af1-b556-492f-8595-cbf5cb531055"

But I cannot see any built-in role (https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles) with the role Id of 35b50af1-b556-492f-8595-cbf5cb531055.

Assuming this code is sourced from https://github.com/grabery/graber.cloud-azure-templates/blob/main/gov/policies/audit-and-deploy-resource-lock/azdeploy.json, then that definition uses a role Id of 8e3af657-a8ff-443c-a75c-2fe8c4bcb635, i.e. Owner.

aschabus commented 8 months ago

@kamfaima thanks for letting us know