From 82909b1068c85748495e9ea516d74a0c9bd3a022 Mon Sep 17 00:00:00 2001 From: Eskil Uhlving Larsen <7443949+picccard@users.noreply.github.com> Date: Sun, 5 Nov 2023 22:02:39 +0100 Subject: [PATCH 1/3] Add type and examples customRoleDefinitions.bicep --- .../customRoleDefinitions.bicep | 76 +++++++++++++++++-- 1 file changed, 70 insertions(+), 6 deletions(-) diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep index 7b44457bd..80b9b265f 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep +++ b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep @@ -1,11 +1,60 @@ targetScope = 'managementGroup' metadata name = 'ALZ Bicep - Custom Role Definitions' -metadata description ='Custom Role Definitions for ALZ Bicep' +metadata description = 'Custom Role Definitions for ALZ Bicep' + +type typCustomRole = { + @description('Name of the custom role') + @minLength(5) + name: string + + @description('Description of the custom role') + @minLength(5) + description: string? + + @description('Control plane actions that the role allows') + actions: string[] + + @description('Control plane actions that are excluded from the allowed actions') + notActions: string[]? + + @description('Data plane actions that the role allows') + dataActions: string[]? + + @description('Data plane actions that are excluded from the allowed actions') + notDataActions: string[]? + + @description('Scopes that the custom role is available for assignment') + assignableScopes: string[]? +} @sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.') param parAssignableScopeManagementGroupId string = 'alz' +@sys.description('Additional role to create') +param parAdditionalRoles typCustomRole[] = [ + { + name: '[alz] IP address writer' + actions: [ + 'Microsoft.Network/publicIPAddresses/write' + ] + } + { + name: '[alz] JIT Contributor' + description: 'Configure or edit a JIT policy for VMs' + actions: [ + 'Microsoft.Security/locations/jitNetworkAccessPolicies/write' + 'Microsoft.Compute/virtualMachines/write' + 'Microsoft.Security/locations/jitNetworkAccessPolicies/read' + 'Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action' + 'Microsoft.Security/policies/read' + 'Microsoft.Security/pricings/read' + 'Microsoft.Compute/virtualMachines/read' + 'Microsoft.Network/*/read' + ] + } +] + @sys.description('Set Parameter to true to Opt-out of deployment telemetry.') param parTelemetryOptOut bool = false @@ -40,14 +89,29 @@ module modRolesSecurityOperationsRole 'definitions/cafSecurityOperationsRole.bic } } +resource resAdditionalRoles 'Microsoft.Authorization/roleDefinitions@2022-04-01' = [for role in parAdditionalRoles: { + name: guid(role.name, parAssignableScopeManagementGroupId) + properties: { + roleName: role.name + description: role.?description ?? null + type: 'CustomRole' + permissions: [ + { + actions: role.actions + notActions: role.?notActions ?? null + dataActions: role.?dataActions ?? null + notDataActions: role.?notDataActions ?? null + } + ] + assignableScopes: role.?assignableScopes ?? [ + tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId) + ] + } +}] + // Optional Deployment for Customer Usage Attribution module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) { #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } - -output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId -output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId -output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId -output outRolesSecurityOperationsRoleId string = modRolesSecurityOperationsRole.outputs.outRoleDefinitionId From 2a4817ab0f6ee52e34b62601808988f4518217e8 Mon Sep 17 00:00:00 2001 From: Eskil Uhlving Larsen <7443949+picccard@users.noreply.github.com> Date: Sun, 5 Nov 2023 22:04:28 +0100 Subject: [PATCH 2/3] re-add some missing outputs --- .../customRoleDefinitions/customRoleDefinitions.bicep | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep index 80b9b265f..420eb4eaa 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep +++ b/infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep @@ -115,3 +115,8 @@ module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdMan name: 'pid-${varCuaid}-${uniqueString(deployment().location)}' params: {} } + +output outRolesSubscriptionOwnerRoleId string = modRolesSubscriptionOwnerRole.outputs.outRoleDefinitionId +output outRolesApplicationOwnerRoleId string = modRolesApplicationOwnerRole.outputs.outRoleDefinitionId +output outRolesNetworkManagementRoleId string = modRolesNetworkManagementRole.outputs.outRoleDefinitionId +output outRolesSecurityOperationsRoleId string = modRolesSecurityOperationsRole.outputs.outRoleDefinitionId From 11402dfd8470355a1877f212fe436271228345a5 Mon Sep 17 00:00:00 2001 From: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 5 Nov 2023 22:12:44 +0000 Subject: [PATCH 3/3] Generate Parameter Markdowns [picccard/647f69f0] --- .../customRoleDefinitions.bicep.md | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md b/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md index 1e25021f5..e0767bb9a 100644 --- a/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md +++ b/infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md @@ -7,6 +7,7 @@ Custom Role Definitions for ALZ Bicep Parameter name | Required | Description -------------- | -------- | ----------- parAssignableScopeManagementGroupId | No | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition. +parAdditionalRoles | No | Additional role to create parTelemetryOptOut | No | Set Parameter to true to Opt-out of deployment telemetry. ### parAssignableScopeManagementGroupId @@ -17,6 +18,14 @@ The management group scope to which the role can be assigned. This management gr - Default value: `alz` +### parAdditionalRoles + +![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) + +Additional role to create + +- Default value: ` ` + ### parTelemetryOptOut ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square) @@ -49,6 +58,30 @@ outRolesSecurityOperationsRoleId | string | "parAssignableScopeManagementGroupId": { "value": "alz" }, + "parAdditionalRoles": { + "value": [ + { + "name": "[alz] IP address writer", + "actions": [ + "Microsoft.Network/publicIPAddresses/write" + ] + }, + { + "name": "[alz] JIT Contributor", + "description": "Configure or edit a JIT policy for VMs", + "actions": [ + "Microsoft.Security/locations/jitNetworkAccessPolicies/write", + "Microsoft.Compute/virtualMachines/write", + "Microsoft.Security/locations/jitNetworkAccessPolicies/read", + "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action", + "Microsoft.Security/policies/read", + "Microsoft.Security/pricings/read", + "Microsoft.Compute/virtualMachines/read", + "Microsoft.Network/*/read" + ] + } + ] + }, "parTelemetryOptOut": { "value": false }