You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Is your feature request related to a problem?
[Examples] Override Module Role Assignments provides a great guide on how to customise policy role assignments. However, it would be very helpful if we could specify different scopes for each role assignment, especially when dealing with resources across different subscriptions or management groups.
Describe the solution you'd like
I propose enhancing the custom_policy_roles variable to support a more flexible structure that allows specifying both the role definition ID and the scope for each role assignment. This would enable users to assign roles at different scopes for the same policy, which is particularly useful in cross-subscription scenarios.
A practical example of where this enhanced functionality would be beneficial is in the deployment of Azure Monitor's Data Collection Rules (DCRs). Consider the following scenario:
A policy is assigned at the landing zones management group level to associate VMs with a Data Collection Rule.
The VMs are in one subscription (e.g., a corp subscription).
The Data Collection Rule itself is in a different subscription (e.g., management subscription).
In this case, the policy's system assigned managed identity needs different permissions at different scopes:
'Microsoft.Insights/dataCollectionRuleAssociations/write' permission on the VM's subscription
'Microsoft.Insights/dataCollectionRules/read' permission on the subscription containing the DCR
With the current implementation, we can only assign roles at the policy assignment scope (the landing zones management group). This doesn't provide the necessary granular permissions for cross-subscription scenarios. The proposed enhancement would allow us to assign the required roles at the appropriate scopes, see below.
Community Note
Description
Is your feature request related to a problem?
[Examples] Override Module Role Assignments provides a great guide on how to customise policy role assignments. However, it would be very helpful if we could specify different scopes for each role assignment, especially when dealing with resources across different subscriptions or management groups.
Describe the solution you'd like
I propose enhancing the custom_policy_roles variable to support a more flexible structure that allows specifying both the role definition ID and the scope for each role assignment. This would enable users to assign roles at different scopes for the same policy, which is particularly useful in cross-subscription scenarios.
A practical example of where this enhanced functionality would be beneficial is in the deployment of Azure Monitor's Data Collection Rules (DCRs). Consider the following scenario:
A policy is assigned at the landing zones management group level to associate VMs with a Data Collection Rule.
The VMs are in one subscription (e.g., a corp subscription).
The Data Collection Rule itself is in a different subscription (e.g., management subscription).
In this case, the policy's system assigned managed identity needs different permissions at different scopes:
With the current implementation, we can only assign roles at the policy assignment scope (the landing zones management group). This doesn't provide the necessary granular permissions for cross-subscription scenarios. The proposed enhancement would allow us to assign the required roles at the appropriate scopes, see below.
Current structure for custom_policy_roles:
Proposed new structure for custom_policy_roles:
Example implementation:
The text was updated successfully, but these errors were encountered: