Closed jachin84 closed 1 month ago
Hey @jachin84 , how sure of that statement are you? :D
It 'should' contain everything of the resource group scope and below. Actually, the way we find the roles is using this script Get-RoleAssignmentList.
The resulting list is the following:
like in the corresponding nested_roleAssignments.bicep.
However, maybe I'm just missing a crutial piece. Let me know.
Hi @AlexanderSehr, I'm pretty sure of that statement but it's quite possible I have misunderstood the intention of the nested_roleAssignments
files. Let's go step by step and see where we land.
My assumption regarding nested_roleAssignments
is that it provides way to assign RBAC roles at the given scope. Eg. If I am deploying a Key Vault resource, it makes no sense to assign 'Virtual Machine Contributor' as it doesn't have any actions that would apply to a Key Vault.
Following that logic, what roles 'make sense' to be assigned to a resource group scope? In my mind it's all of them.
Hey @jachin84, thanks for replying.
In that case we should be aligned of what 'should' be in that file, as you described it very well. In the KeyVault roleassignments file, we should have roles for the KeyVault, in the RG-scope all but e.g. those of the management group and tenant scope.
For that purpose, we filter the roles for a file down by using the filter
$relevantRoles += $roleDefinitions | Where-Object {
$_.Actions -like "$ProviderNamespace/$ResourceType/*" -or
$_.Actions -like "$ProviderNamespace/`**" -or
$_.Actions -like '`**'
}
In case of KeyVault that would mean that we fetch all roles with actions that match
$relevantRoles += $roleDefinitions | Where-Object {
$_.Actions -like "Microsoft.KeyVault/vaults/*" -or
$_.Actions -like "Microsoft.KeyVault/`**" -or
$_.Actions -like '`**'
}
So we want to fetch every role that, in its scope, is limiting itself to
Microsoft.KeyVault/*/read
)That being said - roles are sometimes not perfectly scoped, I guess. I just checked the Microsoft.KeyVault/vaults resource type, and indeed, it wants to include Desktop Virtualization Virtual Machine Contributor
in the list. Why is that you ask, well let's see:
The role definition looks like the following:
{
"Name": "Desktop Virtualization Virtual Machine Contributor",
"Id": "a959dbd1-f747-45e3-8ba6-dd80f235f97c",
"IsCustom": false,
"Description": "This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines.",
"Actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/write",
"Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action",
"Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/images/read",
"Microsoft.Compute/locations/usages/read",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/operations/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read",
"Microsoft.KeyVault/vaults/deploy/action", // <=== check me out
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/"
]
}
As you can see above, I highlighted the KeyVault scope that 'happens' to be part of that role. Why that's the case I cannot tell you without looking into the documentation that may yield some insights. I agree with you however that it is a bit ... odd.
In any case, the same logic for the above applies to the Resource Group and it 'should' have all built-in roles included. I ran the same logic again for that resource type and you're right, there are 2 roles missing:
Windows365NetworkInterfaceContributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1f135831-5bbe-4924-9016-264044c00788')
Windows365SubscriptionReader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3d55a8f6-4133-418d-8051-facdb1735758')
If there are any others you would expect here, please let me know. Maybe there is a flaw in our logic that I'm currently overlooking. Looking forward to your reply :)
I just linked the bug you created and will investigate this further. Got to wrap my head around it a bit more.
Closing as module was migrated to AVM and does align with ID: BCPFR2 - Category: Composition - Role Assignments Role Definition Mapping. It uses a very reduced approach and will be replaced with whatever the PG ends up implemeting to make role assignments easier. Given some comments in the Azure/Bicep repository something is apparently being done.
Description
The nested_roleAssignments.bicep in the Microsoft.Resources/resourceGroups folder only has the roles that contain actions against the Microsoft.Resources/resourceGroups namespace. This make sense as this is what the script does but in reality I think it makes sense to include all RBAC roles like you do in Microsoft.Authorization/roleAssignments.
Reason being that a resource group can contain any resource type so it makes sense to allow any role.