search

Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources
MIT License
3.2k stars 742 forks source link

Deploy role assignment module in different subscriptions #11965

Closed andreaskasc closed 11 months ago

andreaskasc commented 11 months ago

I am trying to deploy multiple role assignments to a managed identity through bicep modules.

I was able to create multiple role assignments under the same subscription (but under different resource groups) by changing the module scope to the resource group I want. However, I am not able to do it for resource groups from different subscriptions. I get an ResourceGroupNotFound exception when the module scope is the one from the different subscription. When I try to change the scope to subscription I get a syntax error: Scope "subscription" is not valid for this module. Permitted scopes: "resourceGroup".bicep(BCP134)

I can do that same assignment from the Azure Portal without any problem but I haven't found a way to do it with Bicep. Is that possible and is there any example how to do this?

I have seen this closed issue which is supposedly the solution to my problem but I couldn't find an example how to use it.

jeskew commented 11 months ago

I get an ResourceGroupNotFound exception when the module scope is the one from the different subscription.

Are you specifying the subscription ID when trying to deploy to a resource group in another subscription? At least according to https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-to-resource-group?tabs=azure-cli#scope-to-different-resource-group, this should be permitted.

When I try to change the scope to subscription I get a syntax error: Scope "subscription" is not valid for this module. Permitted scopes: "resourceGroup".bicep(BCP134)

Every Bicep template has a target scope, and a module's scope property must be of the same type as the targetScope of the module file. You can change the target scope of a Bicep file with a top-level statement:

targetScope = 'subscription'

If a file doesn't have a targetScope statement, Bicep will default to a scope of 'resourceGroup', as this is the most common deployment scenario. Including a targetScope statement will change what kind of resources you can declare in a template, since most resources have to deployed to a resource group. There is a non-exhaustive list of resource types supported at subscription scope at https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-to-subscription?tabs=azure-cli

andreaskasc commented 11 months ago

Hi @jeskew,

Thanks for your quick reply. Indeed using resourceGroup with passing the subscription id works perfectly: scope: resourceGroup(otherSubscriptionID, otherResourceGroup)

Thanks again.