-
Bicep version To Reproduce Additional context |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 17 replies
-
I changed this to a discussion because that could go in various direction depending on your need and what you're trying to achieve. Is there any particular reason you'd want a module to perform one or multiple role assignments in a generic way? A module in Bicep translate in a nested deployment in ARM. Having a module that you call multiple times to perform 1 role assignment sounds like a bad idea to me. But again, maybe I am missing something in your requirements. You usually do nested deployment to abstract more complex logic than a single, simple task like a role assignment. But for your initial question, Bicep will require a resource, resource group, subscription, management group or tenant as the scope for a role assignment. You could declare the scope property on the resource itself like this 👇 but you loose the flexibility you seem to be looking for.
I'll wait to understand your need a bit more, and we'll go from there. |
Beta Was this translation helpful? Give feedback.
-
I personally (it is very personal) prefer to have modules that wrap and perform a complete a story. In the case of Key Vault, you could have a module that handle the key vault itself, diagnostic settings (logging) and let's say a loop around role assignments all in the same file. It is pretty close to what you expressed I think. Here is an example and let me know what you think and if that could work for you? keyvault.bicep
main.bicep
|
Beta Was this translation helpful? Give feedback.
-
I give a try to share one more way to assign RBAC roles. My main goal was to have a param file where I can easily add new roles and principals (users or AAD groups)
That's a module for a RBAC assignment. This module will be a part of main vm bicep file. The main purpose of this module is to assign rbac roles to multiple princpials.
the last step is to implement RBAC assignment module to the VM deployment module. As you can see I use call vmRbac module and call
|
Beta Was this translation helpful? Give feedback.
-
So I ended up taking thoughts from a few folks and leveraged modules to handle nesting each loops. Did this as wanted the parameter file to be simpler for maintenance/scalability. This as of now is only for the subscription. parameters.json:
main bicep:
var_roleAssignmentInfo_module.bicep
auth_roleassignment_sub.module.bicep:
|
Beta Was this translation helpful? Give feedback.
So I ended up taking thoughts from a few folks and leveraged modules to handle nesting each loops. Did this as wanted the parameter file to be simpler for maintenance/scalability. This as of now is only for the subscription.
parameters.json: