-
Notifications
You must be signed in to change notification settings - Fork 1
/
applyRBAC.json
60 lines (60 loc) · 2.8 KB
/
applyRBAC.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleAssignmentId": {
"type": "string",
"metadata": {
"description": "The RBAC Role Assignment Id."
}
},
"roleAssignmentsApiVersion": {
"type": "string",
"metadata": {
"description": "The RBAC API version."
}
},
"msiApiVersion": {
"type": "string",
"metadata": {
"description": "The API version for MSI."
}
},
"functionAppIdentityResourceId": {
"type": "string",
"metadata": {
"description": "The Principal Id of the function app."
}
},
"roleDefinitionId": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "The Role Definition Id that corresponds to the RBAC role (Owner, Contributor, Reader, custom) to be assigned to the principal id of the function app over the scope of the current resource group. If empty (default and legacy behavior), Owner role is assigned. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for details."
}
}
},
"variables": {
"ownerRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]",
"contributorRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
"readerRoleDefinitionId": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
},
"resources": [
{
"apiVersion": "[parameters('roleAssignmentsApiVersion')]",
"name": "[parameters('roleAssignmentId')]",
"type": "Microsoft.Authorization/roleAssignments",
"properties": {
"roleDefinitionId": "[if(equals(parameters('roleDefinitionId'), ''),variables('ownerRoleDefinitionId'),parameters('roleDefinitionId'))]",
"principalId": "[reference(parameters('functionAppIdentityResourceId'), parameters('msiApiVersion')).principalId]",
"scope": "[resourceGroup().id]"
}
}
],
"outputs": {
"msiIdentity": {
"type": "object",
"value": "[reference(parameters('functionAppIdentityResourceId'), parameters('msiApiVersion'))]"
}
}
}