Coder Perfect

How do I add roles to a bicep format resource group?


param rg_la_dev_eastus_name string = 'rg-la-dev-eastus-001'
param rg_la_prod_eastus_name string = 'rg-la-prod-eastus-001'

targetScope = 'subscription'

resource rgLaDev 'Microsoft.Resources/resourceGroups@2020-06-01' = {
  name: rg_la_dev_eastus_name
  location: 'eastus'

resource rgLaProd 'Microsoft.Resources/resourceGroups@2020-06-01' = {
  name: rg_la_prod_eastus_name
  location: 'eastus'

I can make a resource group, however I’d like to assign a role from this location. Every time, I don’t want to do it graphically.

Asked by Roland Barreto

Solution #1

Using Bicep, assign the RBAC role with this script:

resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: 'string'
  scope: 'string'
  properties: {
    roleDefinitionId: 'string'
    principalId: 'string'
    principalType: 'string'
    canDelegate: bool
    description: 'string'
    condition: 'string'
    conditionVersion: 'string'

Reference here.

Answered by Allen Wu

Solution #2

I just wanted to add to @allen-response wu’s – Keep in mind that this resource cannot be used in a module with targetScope =’subscription’. This must be used in a module that targets the resourceGroup to which permissions are to be assigned.

As a result, you’ll need three files: one to establish the resource groups, and another to store the roleAssignments resource. Then, starting with the first, call the module(s):

module rgLaDevPermissions 'devPermissions.bicep' = {
  name: '${deployment().name}-${}-permissions'
  scope: rgLaDev

module rgLaProdPermissions 'prodPermissions.bicep' = {
  name: '${deployment().name}-${}-permissions'
  scope: rgLaProd

If the structure of roleAssignments is the same and the only difference is who is assigned to, you can use module parameters to have a single module file.

See for further information.

Answered by Miq

Post is based on