Skip to content

Commit ad36449

Browse files
jaredfholgatejaredfholgate
committed
revert classic bicep perms
1 parent 9a5cf9c commit ad36449

9 files changed

Lines changed: 396 additions & 12 deletions

File tree

alz/azuredevops/locals.tf

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -110,8 +110,9 @@ locals {
110110
}
111111

112112
locals {
113-
custom_role_definitions_bicep_names = { for key, value in var.custom_role_definitions_bicep : "custom_role_definition_bicep_${key}" => value.name }
114-
custom_role_definitions_terraform_names = { for key, value in var.custom_role_definitions_terraform : "custom_role_definition_terraform_${key}" => value.name }
113+
custom_role_definitions_bicep_names = { for key, value in var.custom_role_definitions_bicep : "custom_role_definition_bicep_${key}" => value.name }
114+
custom_role_definitions_terraform_names = { for key, value in var.custom_role_definitions_terraform : "custom_role_definition_terraform_${key}" => value.name }
115+
custom_role_definitions_bicep_classic_names = { for key, value in var.custom_role_definitions_bicep_classic : "custom_role_definition_bicep_clasic_${key}" => value.name }
115116

116117
custom_role_definitions_bicep = {
117118
for key, value in var.custom_role_definitions_bicep : key => {
@@ -128,4 +129,12 @@ locals {
128129
permissions = value.permissions
129130
}
130131
}
132+
133+
custom_role_definitions_bicep_classic = {
134+
for key, value in var.custom_role_definitions_bicep_classic : key => {
135+
name = local.resource_names["custom_role_definition_bicep_classic_${key}"]
136+
description = value.description
137+
permissions = value.permissions
138+
}
139+
}
131140
}

alz/azuredevops/main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ module "resource_names" {
44
environment_name = var.environment_name
55
service_name = var.service_name
66
postfix_number = var.postfix_number
7-
resource_names = merge(var.resource_names, local.custom_role_definitions_bicep_names, local.custom_role_definitions_terraform_names)
7+
resource_names = merge(var.resource_names, local.custom_role_definitions_bicep_names, local.custom_role_definitions_terraform_names, local.custom_role_definitions_bicep_classic_names)
88
}
99

1010
module "files" {
@@ -58,7 +58,7 @@ module "azure" {
5858
container_registry_image_tag = var.agent_container_image_tag
5959
container_registry_dockerfile_name = var.agent_container_image_dockerfile
6060
container_registry_dockerfile_repository_folder_url = local.agent_container_instance_dockerfile_url
61-
custom_role_definitions = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : local.custom_role_definitions_bicep
61+
custom_role_definitions = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : (var.iac_type == "bicep" ? local.custom_role_definitions_bicep : local.custom_role_definitions_bicep_classic)
6262
role_assignments = var.iac_type == "terraform" ? var.role_assignments_terraform : var.role_assignments_bicep
6363
storage_account_blob_soft_delete_enabled = var.storage_account_blob_soft_delete_enabled
6464
storage_account_blob_soft_delete_retention_days = var.storage_account_blob_soft_delete_retention_days

alz/azuredevops/variables.tf

Lines changed: 119 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -821,6 +821,125 @@ variable "custom_role_definitions_bicep" {
821821
}
822822
}
823823

824+
variable "custom_role_definitions_bicep_classic" {
825+
description = <<-EOT
826+
**(Optional)** Custom Azure RBAC role definitions for Bicep-based deployments.
827+
828+
Map of role definition configurations where:
829+
- **Key**: Role identifier (e.g., 'alz_management_group_contributor')
830+
- **Value**: Object containing:
831+
- `name` (string) - Display name (supports template variables like {{service_name}})
832+
- `description` (string) - Role purpose description
833+
- `permissions` (object):
834+
- `actions` (list(string)) - Allowed Azure actions
835+
- `not_actions` (list(string)) - Denied Azure actions
836+
837+
Default includes 4 predefined roles:
838+
- `alz_management_group_contributor` - Manage management group hierarchy and governance
839+
- `alz_management_group_reader` - Run Bicep What-If validations (requires --validation-level providerNoRbac flag)
840+
- `alz_subscription_owner` - Full access to platform subscriptions
841+
- `alz_subscription_reader` - Run Bicep What-If for subscription deployments
842+
843+
See default value for complete role action definitions.
844+
EOT
845+
type = map(object({
846+
name = string
847+
description = string
848+
permissions = object({
849+
actions = list(string)
850+
not_actions = list(string)
851+
})
852+
}))
853+
default = {
854+
alz_management_group_contributor = {
855+
name = "Azure Landing Zones Management Group Contributor ({{service_name}}-{{environment_name}})"
856+
description = "This is a custom role created by the Azure Landing Zones Accelerator for Writing the Management Group Structure."
857+
permissions = {
858+
actions = [
859+
"Microsoft.Management/managementGroups/delete",
860+
"Microsoft.Management/managementGroups/read",
861+
"Microsoft.Management/managementGroups/subscriptions/delete",
862+
"Microsoft.Management/managementGroups/subscriptions/write",
863+
"Microsoft.Management/managementGroups/write",
864+
"Microsoft.Management/managementGroups/subscriptions/read",
865+
"Microsoft.Management/managementGroups/settings/read",
866+
"Microsoft.Management/managementGroups/settings/write",
867+
"Microsoft.Management/managementGroups/settings/delete",
868+
"Microsoft.Authorization/policyDefinitions/write",
869+
"Microsoft.Authorization/policySetDefinitions/write",
870+
"Microsoft.Authorization/policyAssignments/write",
871+
"Microsoft.Authorization/roleDefinitions/write",
872+
"Microsoft.Authorization/*/read",
873+
"Microsoft.Resources/deployments/whatIf/action",
874+
"Microsoft.Resources/deployments/write",
875+
"Microsoft.Resources/deployments/validate/action",
876+
"Microsoft.Resources/deployments/read",
877+
"Microsoft.Resources/deployments/operationStatuses/read",
878+
"Microsoft.Authorization/roleAssignments/write",
879+
"Microsoft.Authorization/roleAssignments/delete",
880+
"Microsoft.Insights/diagnosticSettings/write"
881+
]
882+
not_actions = []
883+
}
884+
}
885+
alz_management_group_reader = {
886+
name = "Azure Landing Zones Management Group What If ({{service_name}}-{{environment_name}})"
887+
description = "This is a custom role created by the Azure Landing Zones Accelerator for running Bicep What If for the Management Group Structure."
888+
permissions = {
889+
actions = [
890+
"Microsoft.Management/managementGroups/read",
891+
"Microsoft.Management/managementGroups/subscriptions/read",
892+
"Microsoft.Management/managementGroups/settings/read",
893+
"Microsoft.Authorization/*/read",
894+
"Microsoft.Authorization/policyDefinitions/write",
895+
"Microsoft.Authorization/policySetDefinitions/write",
896+
"Microsoft.Authorization/roleDefinitions/write",
897+
"Microsoft.Authorization/policyAssignments/write",
898+
"Microsoft.Insights/diagnosticSettings/write",
899+
"Microsoft.Insights/diagnosticSettings/read",
900+
"Microsoft.Resources/deployments/whatIf/action",
901+
"Microsoft.Resources/deployments/write"
902+
]
903+
not_actions = []
904+
}
905+
}
906+
alz_subscription_owner = {
907+
name = "Azure Landing Zones Subscription Owner ({{service_name}}-{{environment_name}})"
908+
description = "This is a custom role created by the Azure Landing Zones Accelerator for Writing in platform subscriptions."
909+
permissions = {
910+
actions = [
911+
"*",
912+
"Microsoft.Resources/deployments/whatIf/action",
913+
"Microsoft.Resources/deployments/write"
914+
]
915+
not_actions = []
916+
}
917+
}
918+
alz_subscription_reader = {
919+
name = "Azure Landing Zones Subscription What If ({{service_name}}-{{environment_name}})"
920+
description = "This is a custom role created by the Azure Landing Zones Accelerator for running Bicep What If for the platform subscriptions."
921+
permissions = {
922+
actions = [
923+
"*/read",
924+
"Microsoft.Resources/subscriptions/resourceGroups/write",
925+
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
926+
"Microsoft.Automation/automationAccounts/write",
927+
"Microsoft.OperationalInsights/workspaces/write",
928+
"Microsoft.OperationalInsights/workspaces/linkedServices/write",
929+
"Microsoft.OperationsManagement/solutions/write",
930+
"Microsoft.Insights/dataCollectionRules/write",
931+
"Microsoft.Authorization/locks/write",
932+
"Microsoft.Network/*/write",
933+
"Microsoft.Resources/deployments/whatIf/action",
934+
"Microsoft.Resources/deployments/write",
935+
"Microsoft.SecurityInsights/onboardingStates/write"
936+
]
937+
not_actions = []
938+
}
939+
}
940+
}
941+
}
942+
824943
variable "role_assignments_terraform" {
825944
description = <<-EOT
826945
**(Optional)** RBAC role assignments for Terraform-based deployments.

alz/github/locals.tf

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -98,8 +98,9 @@ locals {
9898
}
9999

100100
locals {
101-
custom_role_definitions_bicep_names = { for key, value in var.custom_role_definitions_bicep : "custom_role_definition_bicep_${key}" => value.name }
102-
custom_role_definitions_terraform_names = { for key, value in var.custom_role_definitions_terraform : "custom_role_definition_terraform_${key}" => value.name }
101+
custom_role_definitions_bicep_names = { for key, value in var.custom_role_definitions_bicep : "custom_role_definition_bicep_${key}" => value.name }
102+
custom_role_definitions_terraform_names = { for key, value in var.custom_role_definitions_terraform : "custom_role_definition_terraform_${key}" => value.name }
103+
custom_role_definitions_bicep_classic_names = { for key, value in var.custom_role_definitions_bicep_classic : "custom_role_definition_bicep_clasic_${key}" => value.name }
103104

104105
custom_role_definitions_bicep = {
105106
for key, value in var.custom_role_definitions_bicep : key => {
@@ -116,6 +117,14 @@ locals {
116117
permissions = value.permissions
117118
}
118119
}
120+
121+
custom_role_definitions_bicep_classic = {
122+
for key, value in var.custom_role_definitions_bicep_classic : key => {
123+
name = local.resource_names["custom_role_definition_bicep_classic_${key}"]
124+
description = value.description
125+
permissions = value.permissions
126+
}
127+
}
119128
}
120129

121130
locals {

alz/github/main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ module "resource_names" {
44
environment_name = var.environment_name
55
service_name = var.service_name
66
postfix_number = var.postfix_number
7-
resource_names = merge(var.resource_names, local.custom_role_definitions_bicep_names, local.custom_role_definitions_terraform_names)
7+
resource_names = merge(var.resource_names, local.custom_role_definitions_bicep_names, local.custom_role_definitions_terraform_names, local.custom_role_definitions_bicep_classic_names)
88
}
99

1010
module "files" {
@@ -59,7 +59,7 @@ module "azure" {
5959
container_registry_image_tag = var.runner_container_image_tag
6060
container_registry_dockerfile_name = var.runner_container_image_dockerfile
6161
container_registry_dockerfile_repository_folder_url = local.runner_container_instance_dockerfile_url
62-
custom_role_definitions = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : local.custom_role_definitions_bicep
62+
custom_role_definitions = var.iac_type == "terraform" ? local.custom_role_definitions_terraform : (var.iac_type == "bicep" ? local.custom_role_definitions_bicep : local.custom_role_definitions_bicep_classic)
6363
role_assignments = var.iac_type == "terraform" ? var.role_assignments_terraform : var.role_assignments_bicep
6464
storage_account_blob_soft_delete_enabled = var.storage_account_blob_soft_delete_enabled
6565
storage_account_blob_soft_delete_retention_days = var.storage_account_blob_soft_delete_retention_days

alz/github/variables.tf

Lines changed: 119 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -873,6 +873,125 @@ variable "custom_role_definitions_bicep" {
873873
}
874874
}
875875

876+
variable "custom_role_definitions_bicep_classic" {
877+
description = <<-EOT
878+
**(Optional)** Custom Azure RBAC role definitions for Bicep-based deployments.
879+
880+
Map of role definition configurations where:
881+
- **Key**: Role identifier (e.g., 'alz_management_group_contributor')
882+
- **Value**: Object containing:
883+
- `name` (string) - Display name (supports template variables like {{service_name}})
884+
- `description` (string) - Role purpose description
885+
- `permissions` (object):
886+
- `actions` (list(string)) - Allowed Azure actions
887+
- `not_actions` (list(string)) - Denied Azure actions
888+
889+
Default includes 4 predefined roles:
890+
- `alz_management_group_contributor` - Manage management group hierarchy and governance
891+
- `alz_management_group_reader` - Run Bicep What-If validations (requires --validation-level providerNoRbac flag)
892+
- `alz_subscription_owner` - Full access to platform subscriptions
893+
- `alz_subscription_reader` - Run Bicep What-If for subscription deployments
894+
895+
See default value for complete role action definitions.
896+
EOT
897+
type = map(object({
898+
name = string
899+
description = string
900+
permissions = object({
901+
actions = list(string)
902+
not_actions = list(string)
903+
})
904+
}))
905+
default = {
906+
alz_management_group_contributor = {
907+
name = "Azure Landing Zones Management Group Contributor ({{service_name}}-{{environment_name}})"
908+
description = "This is a custom role created by the Azure Landing Zones Accelerator for Writing the Management Group Structure."
909+
permissions = {
910+
actions = [
911+
"Microsoft.Management/managementGroups/delete",
912+
"Microsoft.Management/managementGroups/read",
913+
"Microsoft.Management/managementGroups/subscriptions/delete",
914+
"Microsoft.Management/managementGroups/subscriptions/write",
915+
"Microsoft.Management/managementGroups/write",
916+
"Microsoft.Management/managementGroups/subscriptions/read",
917+
"Microsoft.Management/managementGroups/settings/read",
918+
"Microsoft.Management/managementGroups/settings/write",
919+
"Microsoft.Management/managementGroups/settings/delete",
920+
"Microsoft.Authorization/policyDefinitions/write",
921+
"Microsoft.Authorization/policySetDefinitions/write",
922+
"Microsoft.Authorization/policyAssignments/write",
923+
"Microsoft.Authorization/roleDefinitions/write",
924+
"Microsoft.Authorization/*/read",
925+
"Microsoft.Resources/deployments/whatIf/action",
926+
"Microsoft.Resources/deployments/write",
927+
"Microsoft.Resources/deployments/validate/action",
928+
"Microsoft.Resources/deployments/read",
929+
"Microsoft.Resources/deployments/operationStatuses/read",
930+
"Microsoft.Authorization/roleAssignments/write",
931+
"Microsoft.Authorization/roleAssignments/delete",
932+
"Microsoft.Insights/diagnosticSettings/write"
933+
]
934+
not_actions = []
935+
}
936+
}
937+
alz_management_group_reader = {
938+
name = "Azure Landing Zones Management Group What If ({{service_name}}-{{environment_name}})"
939+
description = "This is a custom role created by the Azure Landing Zones Accelerator for running Bicep What If for the Management Group Structure."
940+
permissions = {
941+
actions = [
942+
"Microsoft.Management/managementGroups/read",
943+
"Microsoft.Management/managementGroups/subscriptions/read",
944+
"Microsoft.Management/managementGroups/settings/read",
945+
"Microsoft.Authorization/*/read",
946+
"Microsoft.Authorization/policyDefinitions/write",
947+
"Microsoft.Authorization/policySetDefinitions/write",
948+
"Microsoft.Authorization/roleDefinitions/write",
949+
"Microsoft.Authorization/policyAssignments/write",
950+
"Microsoft.Insights/diagnosticSettings/write",
951+
"Microsoft.Insights/diagnosticSettings/read",
952+
"Microsoft.Resources/deployments/whatIf/action",
953+
"Microsoft.Resources/deployments/write"
954+
]
955+
not_actions = []
956+
}
957+
}
958+
alz_subscription_owner = {
959+
name = "Azure Landing Zones Subscription Owner ({{service_name}}-{{environment_name}})"
960+
description = "This is a custom role created by the Azure Landing Zones Accelerator for Writing in platform subscriptions."
961+
permissions = {
962+
actions = [
963+
"*",
964+
"Microsoft.Resources/deployments/whatIf/action",
965+
"Microsoft.Resources/deployments/write"
966+
]
967+
not_actions = []
968+
}
969+
}
970+
alz_subscription_reader = {
971+
name = "Azure Landing Zones Subscription What If ({{service_name}}-{{environment_name}})"
972+
description = "This is a custom role created by the Azure Landing Zones Accelerator for running Bicep What If for the platform subscriptions."
973+
permissions = {
974+
actions = [
975+
"*/read",
976+
"Microsoft.Resources/subscriptions/resourceGroups/write",
977+
"Microsoft.ManagedIdentity/userAssignedIdentities/write",
978+
"Microsoft.Automation/automationAccounts/write",
979+
"Microsoft.OperationalInsights/workspaces/write",
980+
"Microsoft.OperationalInsights/workspaces/linkedServices/write",
981+
"Microsoft.OperationsManagement/solutions/write",
982+
"Microsoft.Insights/dataCollectionRules/write",
983+
"Microsoft.Authorization/locks/write",
984+
"Microsoft.Network/*/write",
985+
"Microsoft.Resources/deployments/whatIf/action",
986+
"Microsoft.Resources/deployments/write",
987+
"Microsoft.SecurityInsights/onboardingStates/write"
988+
]
989+
not_actions = []
990+
}
991+
}
992+
}
993+
}
994+
876995
variable "role_assignments_terraform" {
877996
description = <<-EOT
878997
**(Optional)** RBAC role assignments for Terraform-based deployments.

alz/local/locals.tf

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,8 +42,9 @@ locals {
4242
}
4343

4444
locals {
45-
custom_role_definitions_bicep_names = { for key, value in var.custom_role_definitions_bicep : "custom_role_definition_bicep_${key}" => value.name }
46-
custom_role_definitions_terraform_names = { for key, value in var.custom_role_definitions_terraform : "custom_role_definition_terraform_${key}" => value.name }
45+
custom_role_definitions_bicep_names = { for key, value in var.custom_role_definitions_bicep : "custom_role_definition_bicep_${key}" => value.name }
46+
custom_role_definitions_terraform_names = { for key, value in var.custom_role_definitions_terraform : "custom_role_definition_terraform_${key}" => value.name }
47+
custom_role_definitions_bicep_classic_names = { for key, value in var.custom_role_definitions_bicep_classic : "custom_role_definition_bicep_clasic_${key}" => value.name }
4748

4849
custom_role_definitions_bicep = {
4950
for key, value in var.custom_role_definitions_bicep : key => {
@@ -60,4 +61,12 @@ locals {
6061
permissions = value.permissions
6162
}
6263
}
64+
65+
custom_role_definitions_bicep_classic = {
66+
for key, value in var.custom_role_definitions_bicep_classic : key => {
67+
name = local.resource_names["custom_role_definition_bicep_classic_${key}"]
68+
description = value.description
69+
permissions = value.permissions
70+
}
71+
}
6372
}

0 commit comments

Comments
 (0)