Working with built-in role-definitions

[mauve]

Hi,

How do you work with built-in role-definitions? I usually just do something like this at the top of my files:

var roleDefinition_Storage_Blob_Data_Contributor = subscriptionResourceId('Microsoft.Authorization/roleDefinition', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
var roleDefinition_Azure_Service_Bus_Data_Sender = subscriptionResourceId('Microsoft.Authorization/roleDefinition', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39')
var roleDefinition_Azure_Service_Bus_Data_Receiver = subscriptionResourceId('Microsoft.Authorization/roleDefinition', '4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0')

But it feels error-prone and is very annoying. Is there a better way?

Kind regards,

Mikael

[alex-frankel]

We have an open issue (#1895) to allow AAD lookups so that you can use the friendly name i.e. Owner. Today, what you are doing is the only way to do it unfortunately.

[NeilMacMullen]

@mauve It is possible to create a module that contains these. There is one attached to #3039 (it exports the guids as symbolic names rather than wrapping them in resource ids but you could easily modify it). Unfortunately the syntax for importing variables from modules is a little clunky. #1895 is certainly a better solution in the long term but using a module might save you some cut and paste in the short term!

[brwilkinson]

just as FYI, I currently export out all role definitions to an external json file. This is a legacy process that has carried over from ARM templates.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/main/ADF/1-PrereqsToDeploy/4.1-getRoleDefinitionTable.ps1

This is the output format

{
    "RolesGroupsLookup": {
        "AcrDelete": {
            "Id": "c2f4ef07-c644-48eb-af81-4b1b4947fb11",
            "Description": "acr delete"
        },
        "AcrImageSigner": {
            "Id": "6cef56e8-d556-48e5-a04f-b8e64114680f",
            "Description": "acr image signer"
        },

Once you have them in the file you need to pass it in as a parameter during the deployment, so I have this in my main deployment function.

https://github.com/brwilkinson/AzureDeploymentFramework/blob/e5357e67a97cbeb58065978370ae560a55cda02f/ADF/release-az/Start-AzDeploy.ps1#L248

notice that I do serialize this json object to a json string....

$RolesGroupsLookup = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-Config.json | ConvertFrom-Json -Depth 10 | ForEach-Object RolesGroupsLookup    
$Global.Add('RolesGroupsLookup', ($RolesGroupsLookup | ConvertTo-Json -Compress -Depth 10)
$OptionalParameters['Global'] = $Global

New-AzResourceGroupDeployment -Name $DeploymentName @TemplateArgs @OptionalParameters `
                    -ResourceGroupName $ResourceGroupName -Verbose -ErrorVariable ErrorMessages

I add just 1 parameter on my template called Global in order to inject a whole series of global data, similar to include files.

Then I just have a standard parameter, plus the variable where I convert it back to json.

param Global object
var rolesgroupslookup = json(Global.RolesGroupsLookup)

now I can consume it with a lookup from the object

RoleID: rolesGroupsLookup[roleInfo.RBAC[i].Name].Id

just out of interest I store the role assignments like this. in parameter files. An array of role assignments
https://github.com/brwilkinson/AzureDeploymentFramework/blob/e5357e67a97cbeb58065978370ae560a55cda02f/ADF/tenants/AOA/azuredeploy.1.ACU1.T5.parameters.json#L219

        "rolesInfo": [
          {
            "Name": "BW",
            "RBAC": [
              {
                "Name": "Contributor"
              },
              {
                "Name": "Key Vault Administrator"
              },
              {
                "Name": "Virtual Machine Administrator Login"
              },
              {
                "Name": "Azure Kubernetes Service RBAC Cluster Admin"
              }
            ]
          }
        ],

It may seem like a lot of work, however once you have the deployment script, you never need to touch it. Also in global you can inject all kinds of data, that no longer has to be hard coded in several templates.

List of all of the things I inject at deploy time.

    $Global = @{ }
    $GlobalGlobal | Get-Member -MemberType NoteProperty | ForEach-Object {
        $Property = $_.Name
        $Global.Add($Property, $GlobalGlobal.$Property)
    }
    $Global.Add('CN', $CN)

    $RolesGroupsLookup = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-Config.json | ConvertFrom-Json -Depth 10 | ForEach-Object RolesGroupsLookup
    $Global.Add('RolesGroupsLookup', ($RolesGroupsLookup | ConvertTo-Json -Compress -Depth 10))

    $DataDiskInfo = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-ConfigVM.json | ConvertFrom-Json -Depth 10 | ForEach-Object DataDiskInfo
    $Global.Add('DataDiskInfo', ($DataDiskInfo | ConvertTo-Json -Compress -Depth 10))

    $WadCfg = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-ConfigVM.json | ConvertFrom-Json -Depth 10 | ForEach-Object WadCfg
    $Global.Add('WadCfg', ($WadCfg | ConvertTo-Json -Compress -Depth 10))

    $ladCfg = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-ConfigVM.json | ConvertFrom-Json -Depth 10 | ForEach-Object ladCfg
    $Global.Add('ladCfg', ($ladCfg | ConvertTo-Json -Compress -Depth 10))

    $OSType = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-ConfigVM.json | ConvertFrom-Json -Depth 10 | ForEach-Object OSType
    $Global.Add('OSType', ($OSType | ConvertTo-Json -Compress -Depth 10))

    $computeSizeLookupOptions = Get-Content -Path $ArtifactStagingDirectory\tenants\$App\Global-ConfigVM.json | ConvertFrom-Json -Depth 10 | ForEach-Object computeSizeLookupOptions
    $Global.Add('computeSizeLookupOptions', ($computeSizeLookupOptions | ConvertTo-Json -Compress -Depth 10))

    $StorageAccountName = $Global.SAName
    Write-Verbose "Storage Account is: $StorageAccountName" -Verbose

[brwilkinson]

Going to mark this as answered since it's being tracked via #1895