Problem
param rg_la_dev_eastus_name string = 'rg-la-dev-eastus-001'
param rg_la_prod_eastus_name string = 'rg-la-prod-eastus-001'
targetScope = 'subscription'
resource rgLaDev 'Microsoft.Resources/resourceGroups@2020-06-01' = {
name: rg_la_dev_eastus_name
location: 'eastus'
}
resource rgLaProd 'Microsoft.Resources/resourceGroups@2020-06-01' = {
name: rg_la_prod_eastus_name
location: 'eastus'
}
I can make a resource group, however I’d like to assign a role from this location. Every time, I don’t want to do it graphically.
Asked by Roland Barreto
Solution #1
Using Bicep, assign the RBAC role with this script:
resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: 'string'
scope: 'string'
properties: {
roleDefinitionId: 'string'
principalId: 'string'
principalType: 'string'
canDelegate: bool
description: 'string'
condition: 'string'
conditionVersion: 'string'
}
}
Reference here.
Answered by Allen Wu
Solution #2
I just wanted to add to @allen-response wu’s – Keep in mind that this resource cannot be used in a module with targetScope =’subscription’. This must be used in a module that targets the resourceGroup to which permissions are to be assigned.
As a result, you’ll need three files: one to establish the resource groups, and another to store the roleAssignments resource. Then, starting with the first, call the module(s):
module rgLaDevPermissions 'devPermissions.bicep' = {
name: '${deployment().name}-${rgLaDev.name}-permissions'
scope: rgLaDev
}
module rgLaProdPermissions 'prodPermissions.bicep' = {
name: '${deployment().name}-${rgLaProd.name}-permissions'
scope: rgLaProd
}
If the structure of roleAssignments is the same and the only difference is who is assigned to, you can use module parameters to have a single module file.
See https://github.com/Azure/bicep/issues/1388 for further information.
Answered by Miq
Post is based on https://stackoverflow.com/questions/66993414/how-can-i-add-roles-to-a-resource-group-in-bicep-format