# Subscription User Role assignments SQL server
This template deploys role assignments scoped to the subscription

## Prerequisites
- Azure CLI installed
- Bicep CLI installed
- Python
- Jupyter Notebook or JupyterLab installed


## Setup Environment
1. Make an .env file, configure the settings on your needs: 

In [None]:
%%writefile .env
SUBSCRIPTION_ID=<subscription_id>
PRINCIPAL_ID=<principal_id>
LOCATION=northeurope

TEMPLATE_FILE = "main.bicep"
PARAMETERS_FILE = "main.bicepparam"

2. Install `python-dotenv` if you haven't already. You can install it using pip:

In [None]:
!pip install python-dotenv

3. Load the settings in the environments:

In [None]:
from dotenv import load_dotenv
import os

load_dotenv()

subscription_id = os.getenv('SUBSCRIPTION_ID')
principal_id= os.getenv('PRINCIPAL_ID')
location = os.getenv('LOCATION')

deployment_name = "roles-assignments"

template_file = os.getenv('TEMPLATE_FILE')
parameters_file = os.getenv('PARAMETERS_FILE')

print(f"Subscription ID: {subscription_id}")
print(f"Principal ID: ###{principal_id}###")
print(f"Location: {location}")

4. Login to Azure:

In [None]:
!az login

## Deploy template
1. Set the bicep parameters, adjust the settings when needed:

In [None]:
%%writefile {parameters_file}

using '#{template_file}#'

// ACR
var acrPullRole = '7f951dda-4ed3-4680-a7ca-43fe172d538d'
var acrPushRole = '8311e382-0749-4cb8-b61a-304f252e45ec'

// Storage Account
var storageAccountContributorRole = '17d1049b-9a84-46fb-8f53-869881c3d3ab'
var blobDataOwnerRole = 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b'
var queueDataContributorRole = '974c5e8b-45b9-4653-ba55-5f855dd0fb88'
var tableDataContributorRole = '0a9a7e1f-b9d0-4cc4-a60d-0319b160aaa3'
var storageFileDataPrivilegedContributor = '69566ab7-960f-475b-8e7c-b3118f30c6bd'

param roleAssignments = [
  {
    roleDefinitionId: acrPullRole
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
  {
    roleDefinitionId: acrPushRole
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
  {
    roleDefinitionId: storageAccountContributorRole
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
  {
    roleDefinitionId: blobDataOwnerRole
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
  {
    roleDefinitionId: queueDataContributorRole
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
  {
    roleDefinitionId: tableDataContributorRole
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
  {
    roleDefinitionId: storageFileDataPrivilegedContributor
    principalId: '#{principal_id}#'
    principalType: 'User'
  }
]

2. Replace tokens in `.bicepparam` file

In [None]:
%run "../../utils/placeholder_replacer.py"


path = f'{parameters_file}'
print(path)
replace_placeholders_in_file(path)

3. Deploy the template:

In [None]:
!az deployment sub create --location {location} --template-file {template_file}  --parameters {parameters_file} --name {deployment_name}