Custom role definition as user-defined type

infra-as-code/bicep/modules/customRoleDefinitions/customRoleDefinitions.bicep

@@ -1,11 +1,60 @@
 targetScope = 'managementGroup'
 
 metadata name = 'ALZ Bicep - Custom Role Definitions'
-metadata description ='Custom Role Definitions for ALZ Bicep'
+metadata description = 'Custom Role Definitions for ALZ Bicep'
+
+type typCustomRole = {
+  @description('Name of the custom role')
+  @minLength(5)
+  name: string
+
+  @description('Description of the custom role')
+  @minLength(5)
+  description: string?
+
+  @description('Control plane actions that the role allows')
+  actions: string[]
+
+  @description('Control plane actions that are excluded from the allowed actions')
+  notActions: string[]?
+
+  @description('Data plane actions that the role allows')
+  dataActions: string[]?
+
+  @description('Data plane actions that are excluded from the allowed actions')
+  notDataActions: string[]?
+
+  @description('Scopes that the custom role is available for assignment')
+  assignableScopes: string[]?
+}
 
 @sys.description('The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.')
 param parAssignableScopeManagementGroupId string = 'alz'
 
+@sys.description('Additional role to create')
+param parAdditionalRoles typCustomRole[] = [
+  {
+    name: '[alz] IP address writer'
+    actions: [
+      'Microsoft.Network/publicIPAddresses/write'
+    ]
+  }
+  {
+    name: '[alz] JIT Contributor'
+    description: 'Configure or edit a JIT policy for VMs'
+    actions: [
+      'Microsoft.Security/locations/jitNetworkAccessPolicies/write'
+      'Microsoft.Compute/virtualMachines/write'
+      'Microsoft.Security/locations/jitNetworkAccessPolicies/read'
+      'Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action'
+      'Microsoft.Security/policies/read'
+      'Microsoft.Security/pricings/read'
+      'Microsoft.Compute/virtualMachines/read'
+      'Microsoft.Network/*/read'
+    ]
+  }
+]
+
 @sys.description('Set Parameter to true to Opt-out of deployment telemetry.')
 param parTelemetryOptOut bool = false
 
@@ -40,6 +89,26 @@ module modRolesSecurityOperationsRole 'definitions/cafSecurityOperationsRole.bic
   }
 }
 
+resource resAdditionalRoles 'Microsoft.Authorization/roleDefinitions@2022-04-01' = [for role in parAdditionalRoles: {
+  name: guid(role.name, parAssignableScopeManagementGroupId)
+  properties: {
+    roleName: role.name
+    description: role.?description ?? null
+    type: 'CustomRole'
+    permissions: [
+      {
+        actions: role.actions
+        notActions: role.?notActions ?? null
+        dataActions: role.?dataActions ?? null
+        notDataActions: role.?notDataActions ?? null
+      }
+    ]
+    assignableScopes: role.?assignableScopes ?? [
+      tenantResourceId('Microsoft.Management/managementGroups', parAssignableScopeManagementGroupId)
+    ]
+  }
+}]
+
 // Optional Deployment for Customer Usage Attribution
 module modCustomerUsageAttribution '../../CRML/customerUsageAttribution/cuaIdManagementGroup.bicep' = if (!parTelemetryOptOut) {
   #disable-next-line no-loc-expr-outside-params //Only to ensure telemetry data is stored in same location as deployment. See https://github.com/Azure/ALZ-Bicep/wiki/FAQ#why-are-some-linter-rules-disabled-via-the-disable-next-line-bicep-function for more information

infra-as-code/bicep/modules/customRoleDefinitions/generateddocs/customRoleDefinitions.bicep.md

@@ -7,6 +7,7 @@ Custom Role Definitions for ALZ Bicep
 Parameter name | Required | Description
 -------------- | -------- | -----------
 parAssignableScopeManagementGroupId | No       | The management group scope to which the role can be assigned. This management group ID will be used for the assignableScopes property in the role definition.
+parAdditionalRoles | No       | Additional role to create
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
 
 ### parAssignableScopeManagementGroupId
@@ -17,6 +18,14 @@ The management group scope to which the role can be assigned. This management gr
 
 - Default value: `alz`
 
+### parAdditionalRoles
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Additional role to create
+
+- Default value: ` `
+
 ### parTelemetryOptOut
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -49,6 +58,30 @@ outRolesSecurityOperationsRoleId | string |
         "parAssignableScopeManagementGroupId": {
             "value": "alz"
         },
+        "parAdditionalRoles": {
+            "value": [
+                {
+                    "name": "[alz] IP address writer",
+                    "actions": [
+                        "Microsoft.Network/publicIPAddresses/write"
+                    ]
+                },
+                {
+                    "name": "[alz] JIT Contributor",
+                    "description": "Configure or edit a JIT policy for VMs",
+                    "actions": [
+                        "Microsoft.Security/locations/jitNetworkAccessPolicies/write",
+                        "Microsoft.Compute/virtualMachines/write",
+                        "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
+                        "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
+                        "Microsoft.Security/policies/read",
+                        "Microsoft.Security/pricings/read",
+                        "Microsoft.Compute/virtualMachines/read",
+                        "Microsoft.Network/*/read"
+                    ]
+                }
+            ]
+        },
         "parTelemetryOptOut": {
             "value": false
         }