alex-frankel
commented
2 hours ago +1 on this being one of the jankier parts of bicep today for the two reasons you identified:
- working with dynamic scopes is difficult. In this case, we want the resource type to be generically "resource". I believe #2245/#2246 is the right answer for this.
- getting roleDefinitionId's via the role definition name is needlessly difficult. We are planning to build a function for this in the next few months via #1895
Once that is done you should be able to write a module like the following (I left the data factory references alone, but the data factory resource could also be passed in):
generic-role-assignment.bicep
param res resource
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
scope: res
name: guid(res.name, 'Storage Account Contributor', dataFactory.id)
properties: {
roleDefinitionId: builtInRoleDefinition('Storage Account Contributor')// storageAccountContributorRole.outputs.standardRoleId
principalId: dataFactory.identity.principalId
principalType: 'ServicePrincipal'
}
}Does that get you closer to what you are looking for?
I was moaning about this on Bluesky and encouraged to raise an issue here to explain it. Apologies if I have an X-Y problem here or some other mistake. But maybe it's simply a case for improving resource referencing. I'd also say that bicep is very elegant, which is why I'm struggling here because it feels inelegant in this use case.
What I'm trying to do is create a resource group containing a number of resources, and then allow them access to each other using Managed Identities and RBAC with standard roles.
Importantly, I want the role assignment to be scoped to just the resource I'm granting access to. e.g. I want to grant a managed identity access for to a specific storage account, scoped at the level of that account. I don't want it at the subscription level because it may not be allowed access to other storage resources.
To give a small example, say we create an Azure Data Factory and a Storage Account. Then try to give the ADF managed identity access to the Storage Account.
It would look like this:
main.bicepstorage.bicepdata-factory.bicepI read the docs: https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/azure-resource-manager/bicep/scenarios-rbac.md
But getting the standard role definitions seemed super janky. So I read more here. And also this blog post https://yourazurecoach.com/2023/02/02/my-developer-friendly-bicep-module-for-role-assignments/.
They addressed the problem of reading in the standard role ids by listing them all out in a neat module. But, the scope becomes tricky e.g. if we try to assign like this:
Then this module can only handle storage accounts because retrieving the existing resource requires a string literal to specify the resource type,
'Microsoft.Storage/storageAccounts@2021-06-01'.If you could pass in an actual resource, then it would not be restricted like that.
Having poked this around a whole load, I'VE FOUND A WAY THAT I LIKE!
Instead of having a module that does the role assignment, I have a module which encapsulates retrieving the role id. And then everything is not so ugly. So, that means adding the following to
data-factory.bicep:Which feels reasonably elegant.
standard-role.biceplooks like this:I ended up putting the whole thing into a public repo https://github.com/processity/bicep-role-assignment
This feels OK now. One thing that I think it shows is that this use case of assigning roles in a way where bicep helps you with auto-complete for the standard roles might be worth adding to the docs.