From ea1c72d985a28114b50e7503eb606ecdb92fcbe3 Mon Sep 17 00:00:00 2001 From: yairra Date: Wed, 27 Sep 2023 13:33:29 +0300 Subject: [PATCH 1/5] Azure HA Template | Updated managed identity permissions --- .../marketplace-ha/mainTemplate.json | 26 ++++++++----------- .../existing-nsg-RoleAssignment.json | 4 +-- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index fa367280..86cd551e 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -256,13 +256,6 @@ "Premium_LRS" ] }, - "role": { - "type": "string", - "defaultValue": "Contributor", - "metadata": { - "description": "Role" - } - }, "managedSystemAssigned": { "type": "string", "allowedValues": [ @@ -489,8 +482,7 @@ "publisher": "[variables('imagePublisher')]" }, "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", - "roleDefinitionId": "[if(equals(parameters('role'), 'Contributor'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'b24988ac-6180-42a0-ab88-20f7382dd24c'), parameters('role'))]", - "identity": "[json('{\"type\": \"SystemAssigned\"}')]", + "roleDefinitionIds": "[createArray(subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '361898ef-9ed1-48c2-849c-a832951106bb'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7'))]", "subnet2PrivateAddresses": [ "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" @@ -1109,22 +1101,26 @@ "name": "[guid(resourceGroup().id, concat(parameters('vmName'), copyIndex(1)))]", "copy": { "name": "virtualMachineCopy", - "count": "[variables('count')]" + "count": "[mul(length(variables('roleDefinitionIds')), variables('count'))]" }, "dependsOn": [ - "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1)))]" + "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2')))]" ], "properties": { - "roleDefinitionId": "[variables('roleDefinitionId')]", + "roleDefinitionId": "[variables('roleDefinitionIds')[mod(copyIndex(1), 2)]]", "scope": "[resourceGroup().id]", - "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), copyIndex(1))), '2022-11-01', 'Full').identity.principalId]" + "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]" }, "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.Authorization/roleAssignments'), parameters('tagsByResource')['Microsoft.Authorization/roleAssignments'], json('{}')) ]" }, { "condition": "[and(equals(parameters('managedSystemAssigned'), 'yes'), not(parameters('deployNewNSG')))]", "dependsOn": ["[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]"], - "name": "ExistingNsgRoleAssignment", + "name": "[concat('ExistingNsgRoleAssignment', copyIndex())]", + "copy": { + "name": "ExistingNsgRoleAssignmentCopy", + "count": "[length(variables('roleDefinitionIds'))]" + }, "type": "Microsoft.Resources/deployments", "apiVersion": "2021-04-01", "resourceGroup": "[if(not(parameters('deployNewNSG')), split(parameters('ExistingNSG').id, '/')[4], '')]", @@ -1143,7 +1139,7 @@ "value": "[parameters('vmName')]" }, "roleDefinitionId": { - "value": "[variables('roleDefinitionId')]" + "value": "[variables('roleDefinitionIds')[copyIndex()]]" }, "principalId1": { "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1')), '2022-11-01', 'Full').identity.principalId]" diff --git a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json index 21e60733..1aa9ce64 100755 --- a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json +++ b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json @@ -25,7 +25,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg'))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('roleDefinitionId'), parameters('principalId1'), '1', '-nsg'))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId1')]" @@ -35,7 +35,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId2'), '2', '-nsg'))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('roleDefinitionId'), parameters('principalId2'), '2', '-nsg'))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId2')]" From 820cab3b6c586c816964e92124bef8eba1fcabb3 Mon Sep 17 00:00:00 2001 From: yairra Date: Wed, 27 Sep 2023 14:22:33 +0300 Subject: [PATCH 2/5] Azure HA Template | Updated managed identity permissions --- azure/templates/marketplace-ha/mainTemplate.json | 5 ++++- .../nestedtemplates/existing-nsg-RoleAssignment.json | 7 +++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 86cd551e..7021bcb2 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -1115,7 +1115,7 @@ }, { "condition": "[and(equals(parameters('managedSystemAssigned'), 'yes'), not(parameters('deployNewNSG')))]", - "dependsOn": ["[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]"], + "dependsOn": "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]", "name": "[concat('ExistingNsgRoleAssignment', copyIndex())]", "copy": { "name": "ExistingNsgRoleAssignmentCopy", @@ -1146,6 +1146,9 @@ }, "principalId2": { "value": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '2')), '2022-11-01', 'Full').identity.principalId]" + }, + "index": { + "value": "[copyIndex()]" } } } diff --git a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json index 1aa9ce64..07530416 100755 --- a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json +++ b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json @@ -18,6 +18,9 @@ }, "principalId2": { "type": "string" + }, + "index": { + "type": "int" } }, "resources": [ @@ -25,7 +28,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('roleDefinitionId'), parameters('principalId1'), '1', '-nsg'))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg', parameters('index')))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId1')]" @@ -35,7 +38,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('roleDefinitionId'), parameters('principalId2'), '2', '-nsg'))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('roleDefinitionId'), parameters('principalId2'), '2', '-nsg', parameters('index')))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId2')]" From 57d63e2195fdb2685478943eb8d9cb845c520b85 Mon Sep 17 00:00:00 2001 From: yairra Date: Sun, 1 Oct 2023 10:24:50 +0300 Subject: [PATCH 3/5] Fixed roleAssignment name --- .../templates/nestedtemplates/existing-nsg-RoleAssignment.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json index 07530416..805af1bd 100755 --- a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json +++ b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json @@ -38,7 +38,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('roleDefinitionId'), parameters('principalId2'), '2', '-nsg', parameters('index')))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg', parameters('index')))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId2')]" From 236d79845c55911eda8669f7d899a4aa2acd1adc Mon Sep 17 00:00:00 2001 From: yairra Date: Sun, 1 Oct 2023 10:33:17 +0300 Subject: [PATCH 4/5] Fixed roleAssignment name --- .../templates/nestedtemplates/existing-nsg-RoleAssignment.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json index 805af1bd..f87d2fac 100755 --- a/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json +++ b/azure/templates/nestedtemplates/existing-nsg-RoleAssignment.json @@ -38,7 +38,7 @@ "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[concat('Microsoft.Network/networkSecurityGroups/', parameters('ExistingNSG').name)]", - "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '1', '-nsg', parameters('index')))]", + "name": "[guid(resourceGroup().id, concat(parameters('vmName'), parameters('principalId1'), '2', '-nsg', parameters('index')))]", "properties": { "roleDefinitionId": "[parameters('roleDefinitionId')]", "principalId": "[parameters('principalId2')]" From 6659393c80309765ff87d447ada38029ca918f5e Mon Sep 17 00:00:00 2001 From: yairra Date: Sun, 1 Oct 2023 13:48:51 +0300 Subject: [PATCH 5/5] Azure HA ARM template | Updated managed identity permissions --- azure/templates/marketplace-ha/mainTemplate.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/azure/templates/marketplace-ha/mainTemplate.json b/azure/templates/marketplace-ha/mainTemplate.json index 7021bcb2..07bc2783 100644 --- a/azure/templates/marketplace-ha/mainTemplate.json +++ b/azure/templates/marketplace-ha/mainTemplate.json @@ -482,7 +482,7 @@ "publisher": "[variables('imagePublisher')]" }, "plan": "[if(equals(variables('offer'), 'BYOL') , variables('planBYOL'), if(equals(variables('offer'), 'NGTP'), variables('planNGTP'), if(equals(variables('offer'), 'NGTP-V2'), variables('planNGTP-V2'), if(equals(variables('offer'), 'NGTX'), variables('planNGTX'), if(equals(variables('offer'), 'NGTX-V2'), variables('planNGTX-V2'), json('null'))))))]", - "roleDefinitionIds": "[createArray(subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '361898ef-9ed1-48c2-849c-a832951106bb'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7'))]", + "roleDefinitionIds": "[createArray(subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c'), subscriptionResourceId('Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7'))]", "subnet2PrivateAddresses": [ "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),1)))]", "[concat(split(parameters('subnet2StartAddress'), '.')[0],'.', split(parameters('subnet2StartAddress'), '.')[1],'.', split(parameters('subnet2StartAddress'), '.')[2],'.', string(add(int(split(parameters('subnet2StartAddress'), '.')[3]),2)))]" @@ -1107,7 +1107,7 @@ "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2')))]" ], "properties": { - "roleDefinitionId": "[variables('roleDefinitionIds')[mod(copyIndex(1), 2)]]", + "roleDefinitionId": "[variables('roleDefinitionIds')[if(greater(copyIndex(1), 2), 1, 0)]]", "scope": "[resourceGroup().id]", "principalId": "[reference(resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), if(equals(mod(copyIndex(1), 2), 1), '1', '2'))), '2022-11-01', 'Full').identity.principalId]" }, @@ -1115,7 +1115,7 @@ }, { "condition": "[and(equals(parameters('managedSystemAssigned'), 'yes'), not(parameters('deployNewNSG')))]", - "dependsOn": "[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]", + "dependsOn": ["[resourceId('Microsoft.Compute/virtualMachines/', concat(parameters('vmName'), '1'))]"], "name": "[concat('ExistingNsgRoleAssignment', copyIndex())]", "copy": { "name": "ExistingNsgRoleAssignmentCopy",