diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool.bicep index 4af79e12b1..59fdbb7a26 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool.bicep @@ -1,5 +1,4 @@ param capacityPoolObj object -param builtInRoleNames object param location string param netAppAccountName string @@ -16,7 +15,6 @@ module capacityPool_volumes 'nested_capacityPool_volume.bicep' = [for (volume, i name: '${deployment().name}-Vol-${index}' params: { volumeObj: volume - builtInRoleNames: builtInRoleNames location: location capacityPoolName: capacityPool.name poolServiceLevel: capacityPool.properties.serviceLevel @@ -27,7 +25,6 @@ module capacityPool_rbac 'nested_capacityPool_rbac.bicep' = [for (roleAssignment name: '${deployment().name}-Rbac-${index}' params: { roleAssignmentObj: roleAssignment - builtInRoleNames: builtInRoleNames resourceName: capacityPool.name } }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep index 0b29774ce4..87ff75b128 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_rbac.bicep @@ -1,11 +1,31 @@ param roleAssignmentObj object -param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.NetApp/netAppAccounts/capacityPools/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { - name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2021-04-01' existing = { + name: resourceName +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: guid(capacityPool.name, principalId, roleAssignmentObj.roleDefinitionIdOrName) properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } + scope: capacityPool }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume.bicep index 83ab442db4..e23e69b211 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume.bicep @@ -1,5 +1,4 @@ param volumeObj object -param builtInRoleNames object param location string param capacityPoolName string param poolServiceLevel string @@ -21,7 +20,6 @@ module volume_rbac 'nested_capacityPool_volume_rbac.bicep' = [for (roleAssignmen name: '${deployment().name}-Rbac-${index}' params: { roleAssignmentObj: roleAssignment - builtInRoleNames: builtInRoleNames resourceName: volume.name } }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep index 9b95ce0405..7251dcc20b 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_capacityPool_volume_rbac.bicep @@ -1,11 +1,31 @@ param roleAssignmentObj object -param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { - name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2021-04-01' existing = { + name: resourceName +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: guid(volume.name, principalId, roleAssignmentObj.roleDefinitionIdOrName) properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } + scope: volume }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep index 8135a821ee..737a06347f 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/.bicep/nested_rbac.bicep @@ -1,11 +1,31 @@ param roleAssignmentObj object -param builtInRoleNames object param resourceName string -resource roleAssignment 'Microsoft.NetApp/netAppAccounts/providers/roleAssignments@2021-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { - name: '${resourceName}/Microsoft.Authorization/${guid(resourceName, principalId, roleAssignmentObj.roleDefinitionIdOrName)}' +var builtInRoleNames = { + 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') + 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') + 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') + 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') + 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') + 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') + 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') + 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') + 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') + 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') + 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') + 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') + 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') +} + +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2021-04-01' existing = { + name: resourceName +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = [for principalId in roleAssignmentObj.principalIds: { + name: guid(netAppAccount.name, principalId, roleAssignmentObj.roleDefinitionIdOrName) properties: { roleDefinitionId: contains(builtInRoleNames, roleAssignmentObj.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignmentObj.roleDefinitionIdOrName] : roleAssignmentObj.roleDefinitionIdOrName principalId: principalId } + scope: netAppAccount }] diff --git a/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep b/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep index 04ee1efef4..24a8d2494d 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep +++ b/arm/Microsoft.NetApp/netAppAccounts/deploy.bicep @@ -54,22 +54,6 @@ var activeDirectoryConnectionProperties = [ } ] -var builtInRoleNames = { - 'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') - 'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') - 'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293') - 'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893') - 'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e') - 'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae') - 'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44') - 'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa') - 'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb') - 'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05') - 'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608') - 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') -} - module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} @@ -97,7 +81,6 @@ module netAppAccount_rbac '.bicep/nested_rbac.bicep' = [for (roleAssignment, ind name: '${uniqueString(deployment().name, location)}-ANFAccount-Rbac-${index}' params: { roleAssignmentObj: roleAssignment - builtInRoleNames: builtInRoleNames resourceName: netAppAccount.name } }] @@ -106,7 +89,6 @@ module netAppAccount_capacityPools '.bicep/nested_capacityPool.bicep' = [for (ca name: '${uniqueString(deployment().name, location)}-ANFAccount-CapPool-${index}' params: { capacityPoolObj: capacityPool - builtInRoleNames: builtInRoleNames location: location netAppAccountName: netAppAccount.name } diff --git a/arm/Microsoft.NetApp/netAppAccounts/readme.md b/arm/Microsoft.NetApp/netAppAccounts/readme.md index 36609f0584..d5afcb83c9 100644 --- a/arm/Microsoft.NetApp/netAppAccounts/readme.md +++ b/arm/Microsoft.NetApp/netAppAccounts/readme.md @@ -7,12 +7,10 @@ This template deploys Azure NetApp Files. | Resource Type | Api Version | | :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | +| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | | `Microsoft.NetApp/netAppAccounts` | 2021-04-01 | | `Microsoft.NetApp/netAppAccounts/capacityPools` | 2021-04-01 | -| `Microsoft.NetApp/netAppAccounts/capacityPools/providers/roleAssignments` | 2021-04-01-preview | | `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | 2021-04-01 | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes/providers/roleAssignments` | 2021-04-01-preview | -| `Microsoft.NetApp/netAppAccounts/providers/roleAssignments` | 2021-04-01-preview | ## Parameters @@ -184,6 +182,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) - [Netappaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2021-04-01/netAppAccounts) - [Netappaccounts/Capacitypools](https://docs.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2021-04-01/netAppAccounts/capacityPools) - [Netappaccounts/Capacitypools/Volumes](https://docs.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2021-04-01/netAppAccounts/capacityPools/volumes)