Required help on correcting the Bicep template for assigning the role assignment at resource level scope

Pardeep 80 Reputation points
2024-05-08T12:17:55.7666667+00:00

Hi,
we are in the process of generating several public IPs using the provided Bicep template. Our goal is to allocate role assignments to all these IPs within the scope of the resource level. However, we are encountering numerous challenges in assigning the roles at that level and in transmitting dynamic values via the parameter.JSON file.

Bicep code for Ref -

param publicIPs array = []

resource publicIPAddresses 'Microsoft.Network/publicIPAddresses@2020-11-01' = [for (publicIP, index) in publicIPs: {
  name: publicIP.name  //passing in parameter file
  location: publicIP.location //passing in parameter file
  properties: {
    publicIPAllocationMethod: 'Static'
    publicIPAddressVersion: 'IPv4'
    dnsSettings: {
      domainNameLabel: publicIP.dnsLabelPrefix //passing in parameter file
    }
  }
  sku: {
    name: 'Standard'
  }
}]

resource roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  scope: publicIPAddresses[index].id
  name: guid(publicIPAddresses[index].id, principalId, '/providers/Microsoft.Authorization/roleDefinitions/65b600df-3d4e6542a5-8dfa-afad6cae4654')
  properties: {
    resourceId('Microsoft.Authorization/roleDefinitions', 65b600df-3d4e6542a5-8dfa-afad6cae4654)
    principalId: principalId  //passing in parameter file
    principalType: 'ServicePrincipal'
  }

}

This code should deploy the public IPs and assign the role assignment to all those IPs with the help of provided principal id in parameter file.

  • Please help me where to change the code part, to get successfully deploy the IP and assign the role assignment at the IP resource level?
  • But with the below bicep code we are successfully deploying the multiple public IPs(passing this values dynamically through parameter file with below JSON file), facing issue with the assigning the role assignment part of code.
{
          "name": "myPublicIP8331",
          "location": "East US",
          "dnsLabelPrefix": "mypublicip83381"
        },
param publicIPs array = []

resource publicIPAddresses 'Microsoft.Network/publicIPAddresses@2020-11-01' = [for (publicIP, index) in publicIPs: {
  name: publicIP.name
  location: publicIP.location
  properties: {
    publicIPAllocationMethod: 'Static'
    publicIPAddressVersion: 'IPv4'
    dnsSettings: {
      domainNameLabel: publicIP.dnsLabelPrefix
    }
  }
  sku: {
    name: 'Standard'
  }
}]
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,547 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
840 questions
{count} votes

Accepted answer
  1. Luis Arias 7,686 Reputation points
    2024-05-08T14:41:58.9066667+00:00

    Hi Pardeep,

    I understood that you want to deploy many public Ips and assign dinamically RBAC permission to this resouces based on a param file , so in that case I recommend you to use .bicepparam file:

    main.bicepparam

    using 'main.bicep'
    param publicIPs = [
      {
        name: 'myPublicIP-la01'
        location: 'East US'
        dnsLabelPrefix: 'mypublicip83381la01'
        principalId: '<your principal id>'
      }
      {
        name: 'myPublicIP-la02'
        location: 'East US'
        dnsLabelPrefix: 'mypublicip83381la02'
        principalId: '<your principal id>'
      }
    ]
    

    Additionally I updated your second block of code to make a proper loop on this bicep file and deploy the rbac according to each public ip service principal on bicepparam file.

    main.bicep

    param publicIPs array = []
    
    resource publicIPAddresses 'Microsoft.Network/publicIPAddresses@2020-11-01' = [for (publicIP, index) in publicIPs: {
      name: publicIP.name  //passing in parameter file
      location: publicIP.location //passing in parameter file
      properties: {
        publicIPAllocationMethod: 'Static'
        publicIPAddressVersion: 'IPv4'
        dnsSettings: {
          domainNameLabel: publicIP.dnsLabelPrefix //passing in parameter file
        }
      }
      sku: {
        name: 'Standard'
      }
    }]
    
    resource roleAssignments 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for (publicIP, index) in publicIPs: {
      name: guid(publicIPAddresses[index].id, publicIP.principalId, 'Network Contributor')
      scope: publicIPAddresses[index]
      properties: {
        roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7') //network contributor role (example)
        principalId: publicIP.principalId
      }
    }]
    
    
    

    To deploy and test you need first to update the param file and the RBAC role id on bicep according your requeriment:

    az deployment group create \
        --resource-group <your-RG> \
        --template-file main.bicep \
        --parameters main.bicepparam
    
    

    Note: I can't found your role id "65b600df-3d4e6542a5-8dfa-afad6cae4654" I assume that is a custom role definition.

    Additional references:

    If the information helped address your question, please Accept the answer.

    Luis

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.