Coder Perfect

Bicep roleassignment to azure resourcegroup


I’m trying to use one single template to establish a resourcegroup and grant contributor permissions to it. “A nested resource type must have the same number of segments as its resource name,” says the error message.

my bicep file:

targetScope = 'subscription'

param resourceGroupName string
param resourceGroupLocation string
param contributorsGroupID string

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  location: resourceGroupLocation
  name: resourceGroupName

//assign contributor role to the created AAD group

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  properties: {
    roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c'
    principalId: contributorsGroupID
    principalType: 'Group'

To make this work, I’m not sure what to put in the name field in the roleassignment part.

Asked by Cyriel Lamerigts

Solution #1

You need pass the GUID for the roleassigmentName & Var for the roleID as shown in the below bicep script to create a resource group & to assign a contributor access it.

targetScope = 'subscription'

@description('Name of the resourceGroup to create')
param resourceGroupName string = '<resourcegroupname>'

@description('Location for the resourceGroup')
param resourceGroupLocation string = '<resourcelocation>'

@description('principalId of the user that will be given contributor access to the resourceGroup')
param principalId string = '<userObjectId>'

@description('roleDefinition to apply to the resourceGroup - default is contributor')
param roleDefinitionId string = 'b24988ac-6180-42a0-ab88-20f7382dd24c'

@description('Unique name for the roleAssignment in the format of a guid')
param roleAssignmentName string = guid(principalId, roleDefinitionId, resourceGroupName)

var roleID = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${roleDefinitionId}'

resource newResourceGroup 'Microsoft.Resources/resourceGroups@2019-10-01' = {
name: resourceGroupName
location: resourceGroupLocation
properties: {}

resource roleNameGuid_resource 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: roleAssignmentName
properties: {
roleDefinitionId: roleID
principalId: principalId

Answered by VenkateshDodda-MT

Post is based on