The short answer is no, not at this time. But there is a way to do what you're after.
You can put your role assignment in a module and provide the scope
property to get a resource outside the current deployment scope.
Pass the information about the name of the target resource as a parameter of the module, you can then use the reference
keyword to get a runtime reference to your desired resource.
You could do something like this:
//orchestration.bicep
module assignmentInAnotherScope 'roleAssignment.bicep' = {
name: 'assignmentDeployment'
scope: resourceGroup('storage-rg')
params: {
storageAccountName: storageAccountTemp.name
logicAppName: 'testlogicapp'
logicAppResourceGroup: 'logicapp-rg'
}
}
//roleAssignment.bicep
param storageAccountName string
param logicAppName string
param logicAppResourceGroup string
var roleDefinitionId = '00000000-0000-0000-0000-000000000000'
resource storageAccountTemp 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
name: storageAccountName
}
resource logicAppTest 'Microsoft.Storage/storageAccounts@2021-08-01' existing = {
name: logicAppName
scope: resourceGroup(logicAppResourceGroup)
}
resource logicAppStorageAccountRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
name: guid('ra-logicapp-${roleDefinitionId}')
scope: storageAccountTemp
properties: {
principalType: 'ServicePrincipal'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
principalId: logicAppTest.identity.principalId
}
}
You can take a look at this Q&A video that will give you an idea on how to use the scope
property with the existing
keyword.