infra: add Storage Blob Data Contributor role for backend app identity

Backend container app needs Storage Blob Data Contributor on the storage account
to upload files. Added to role-assignments.bicep for both avm and bicep flavors.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Prachig-Microsoft

infra/avm/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "12751579259960962504"
+      "templateHash": "15764079419575495208"
     }
   },
   "parameters": {
@@ -37799,7 +37799,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.43.8.12551",
-              "templateHash": "10896981330923040072"
+              "templateHash": "16220137308567374453"
             }
           },
           "parameters": {
@@ -37985,6 +37985,18 @@
                 "principalType": "ServicePrincipal"
               }
             },
+            {
+              "condition": "[and(not(empty(parameters('storageAccountResourceId'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
+              "type": "Microsoft.Authorization/roleAssignments",
+              "apiVersion": "2022-04-01",
+              "scope": "[resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/')))]",
+              "name": "[guid(parameters('solutionName'), resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), parameters('backendAppServicePrincipalId'), variables('roleDefinitions').storageBlobDataContributor)]",
+              "properties": {
+                "principalId": "[parameters('backendAppServicePrincipalId')]",
+                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefinitions').storageBlobDataContributor)]",
+                "principalType": "ServicePrincipal"
+              }
+            },
             {
               "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
               "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",

infra/avm/modules/identity/role-assignments.bicep

@@ -216,6 +216,17 @@ resource searchStorageReader 'Microsoft.Authorization/roleAssignments@2022-04-01
   }
 }
 
+// Backend App → Storage Blob Data Contributor
+resource backendAppStorageContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(storageAccountResourceId) && !empty(backendAppServicePrincipalId)) {
+  name: guid(solutionName, storageAccount.id, backendAppServicePrincipalId, roleDefinitions.storageBlobDataContributor)
+  scope: storageAccount
+  properties: {
+    principalId: backendAppServicePrincipalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.storageBlobDataContributor)
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // ============================================================================
 // 4. COSMOS DB ROLE ASSIGNMENTS
 //    Backend App Service → Cosmos DB (data-plane, uses sqlRoleAssignments)

infra/bicep/main.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "6189751586948713756"
+      "templateHash": "2315337546245675369"
     }
   },
   "parameters": {
@@ -2582,7 +2582,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.43.8.12551",
-              "templateHash": "11340155083243769350"
+              "templateHash": "17859174180959627964"
             }
           },
           "parameters": {
@@ -2787,6 +2787,18 @@
                 "principalType": "ServicePrincipal"
               }
             },
+            {
+              "condition": "[and(not(empty(parameters('storageAccountResourceId'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
+              "type": "Microsoft.Authorization/roleAssignments",
+              "apiVersion": "2022-04-01",
+              "scope": "[resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/')))]",
+              "name": "[guid(parameters('solutionName'), resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), parameters('backendAppServicePrincipalId'), variables('roleDefinitions').storageBlobDataContributor)]",
+              "properties": {
+                "principalId": "[parameters('backendAppServicePrincipalId')]",
+                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefinitions').storageBlobDataContributor)]",
+                "principalType": "ServicePrincipal"
+              }
+            },
             {
               "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
               "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",

infra/bicep/modules/identity/role-assignments.bicep

@@ -224,6 +224,17 @@ resource searchStorageReader 'Microsoft.Authorization/roleAssignments@2022-04-01
   }
 }
 
+// Backend App → Storage Blob Data Contributor
+resource backendAppStorageContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(storageAccountResourceId) && !empty(backendAppServicePrincipalId)) {
+  name: guid(solutionName, storageAccount.id, backendAppServicePrincipalId, roleDefinitions.storageBlobDataContributor)
+  scope: storageAccount
+  properties: {
+    principalId: backendAppServicePrincipalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitions.storageBlobDataContributor)
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // ============================================================================
 // 4. COSMOS DB ROLE ASSIGNMENTS
 //    Backend App Service → Cosmos DB (data-plane, uses sqlRoleAssignments)

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.43.8.12551",
-      "templateHash": "2620189491489939431"
+      "templateHash": "16763602987372761236"
     }
   },
   "parameters": {
@@ -316,7 +316,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.43.8.12551",
-              "templateHash": "12751579259960962504"
+              "templateHash": "15764079419575495208"
             }
           },
           "parameters": {
@@ -38109,7 +38109,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.43.8.12551",
-                      "templateHash": "10896981330923040072"
+                      "templateHash": "16220137308567374453"
                     }
                   },
                   "parameters": {
@@ -38295,6 +38295,18 @@
                         "principalType": "ServicePrincipal"
                       }
                     },
+                    {
+                      "condition": "[and(not(empty(parameters('storageAccountResourceId'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
+                      "type": "Microsoft.Authorization/roleAssignments",
+                      "apiVersion": "2022-04-01",
+                      "scope": "[resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/')))]",
+                      "name": "[guid(parameters('solutionName'), resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), parameters('backendAppServicePrincipalId'), variables('roleDefinitions').storageBlobDataContributor)]",
+                      "properties": {
+                        "principalId": "[parameters('backendAppServicePrincipalId')]",
+                        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefinitions').storageBlobDataContributor)]",
+                        "principalType": "ServicePrincipal"
+                      }
+                    },
                     {
                       "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
                       "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",
@@ -38672,7 +38684,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.43.8.12551",
-              "templateHash": "6189751586948713756"
+              "templateHash": "2315337546245675369"
             }
           },
           "parameters": {
@@ -41249,7 +41261,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.43.8.12551",
-                      "templateHash": "11340155083243769350"
+                      "templateHash": "17859174180959627964"
                     }
                   },
                   "parameters": {
@@ -41454,6 +41466,18 @@
                         "principalType": "ServicePrincipal"
                       }
                     },
+                    {
+                      "condition": "[and(not(empty(parameters('storageAccountResourceId'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
+                      "type": "Microsoft.Authorization/roleAssignments",
+                      "apiVersion": "2022-04-01",
+                      "scope": "[resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/')))]",
+                      "name": "[guid(parameters('solutionName'), resourceId('Microsoft.Storage/storageAccounts', last(split(parameters('storageAccountResourceId'), '/'))), parameters('backendAppServicePrincipalId'), variables('roleDefinitions').storageBlobDataContributor)]",
+                      "properties": {
+                        "principalId": "[parameters('backendAppServicePrincipalId')]",
+                        "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', variables('roleDefinitions').storageBlobDataContributor)]",
+                        "principalType": "ServicePrincipal"
+                      }
+                    },
                     {
                       "condition": "[and(not(empty(parameters('cosmosDbAccountName'))), not(empty(parameters('backendAppServicePrincipalId'))))]",
                       "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments",