Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to use artifacts function to specify roleDefinitionId. #61

Open
oliverroer opened this issue Jun 18, 2021 · 3 comments
Open

Unable to use artifacts function to specify roleDefinitionId. #61

oliverroer opened this issue Jun 18, 2021 · 3 comments

Comments

@oliverroer
Copy link

oliverroer commented Jun 18, 2021
edited
Loading

This article says that the roleDefinitionId on an artifact of kind roleAssignment cannot be parameterized.

As far as I can see, this means that something like the following will not work:

{
    "kind": "roleAssignment",
    "properties": {
        "description": "Assigns a custom role to a principal",
        "displayName": "Custom Role Assignment",
        "principalIds": [
            "[parameters('principal')]"
        ],
        "roleDefinitionId": "[artifacts('customRole').outputs.resourceId]"
    }
}

where the customRole artifact is of kind template and outputs a resourceId which is the resource ID of a custom role that it creates on the subscription.

As noted, I'm aware that this is not supported, however, I would like to hear the reason why, as I'm trying to create a blueprint that both created a custom role definition and assigns it at the same time.

It is probably be possible to do the assignment using ARM templating, however, I would like to avoid it, since doing role assignments in ARM is messy process that does not spark joy (see this issue).
@alex-frankel
Copy link
Contributor

Basically we check that you have access to the role definition when you create the blueprint definition. We are not able to do that if it's parameterized. If you are not using the blueprint lock capability, then I'd recommend using bicep + template specs as this will give you full control to parameterize any field. You may want to check out this video:
https://www.youtube.com/watch?v=i4dEN0o1PHo

@oliverroer
Copy link
Author

So there's an up-front check on the role definition when you create the blueprint definition, if I understood you correctly.
Have you considered doing this check during assignment/deployment instead?

Also yes, I do use the lock capability and intend to keep doing so. ☹️

I will have a look at the video later. 😄

@oliverroer oliverroer mentioned this issue Jun 18, 2021
Closed
@oliverroer
Copy link
Author

I have now had a look at the video you linked. It looks like the Bicep approach has the same issue as ARM, as it is essentially just ARM with a nicer syntax and functionality. Having to come up with your own GUID for the role assignment is something we would like to avoid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex-frankel @oliverroer