don't use module for subscription scoped template

Signed-off-by: Gerd Oberlechner <[email protected]>

dev-infrastructure/modules/acr/acr-permissions.bicep

@@ -52,7 +52,7 @@ resource acrDeleteRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = if
   }
 }
 
-import * as tmr from 'token-mgmt-role.bicep'
+import * as tmr from 'token-role-name.bicep'
 
 resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = if (grantManageTokenAccess) {
   name: guid(tmr.tokenManagementRoleName)

dev-infrastructure/modules/acr/token-role-name.bicep

@@ -0,0 +1,2 @@
+@export()
+var tokenManagementRoleName = 'token-mgmt-role'

dev-infrastructure/templates/global-roles.bicep

@@ -1,7 +1,28 @@
 @description('Defines if the ACR token management role should be created')
 param manageTokenRole bool
 
-module tokenMgmtRole '../modules/acr/token-mgmt-role.bicep' = if (manageTokenRole) {
-  name: 'acr-token-mgmt-role'
-  scope: subscription()
+import * as tmr from '../modules/acr/token-role-name.bicep'
+
+resource tokenManagementRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' = if (manageTokenRole) {
+  name: guid(tmr.tokenManagementRoleName)
+  properties: {
+    roleName: 'ARO HCP ACR Token Management'
+    type: 'customRole'
+    assignableScopes: [
+      subscription().id
+    ]
+    description: 'This role allows the management of tokens in the ACR'
+    permissions: [
+      {
+        actions: [
+          'Microsoft.ContainerRegistry/registries/tokens/read'
+          'Microsoft.ContainerRegistry/registries/tokens/write'
+          'Microsoft.ContainerRegistry/registries/tokens/delete'
+          'Microsoft.ContainerRegistry/registries/generateCredentials/action'
+          'Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read'
+          'Microsoft.ContainerRegistry/registries/scopeMaps/read'
+        ]
+      }
+    ]
+  }
 }