diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep index 9d3b60b125..a09e9a0f10 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_mg.bicep @@ -24,8 +24,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' @@ -313,13 +321,13 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(managementGroupId, roleDefinitionId_var, principalId) properties: { roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: !empty(principalType) ? principalType : null + principalType: !empty(principalType) ? any(principalType) : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep index 590e8107fd..1c23649108 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_rg.bicep @@ -27,8 +27,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' @@ -316,13 +324,13 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(subscriptionId, resourceGroupName, roleDefinitionId_var, principalId) properties: { roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: !empty(principalType) ? principalType : null + principalType: !empty(principalType) ? any(principalType) : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep index 58dab39398..e4cf93f54c 100644 --- a/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/.bicep/nested_rbac_sub.bicep @@ -24,8 +24,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' var builtInRoleNames_var = { 'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec' @@ -313,13 +321,13 @@ var builtInRoleNames_var = { var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName) -resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = { +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = { name: guid(subscriptionId, roleDefinitionId_var, principalId) properties: { roleDefinitionId: roleDefinitionId_var principalId: principalId description: !empty(description) ? description : null - principalType: !empty(principalType) ? principalType : null + principalType: !empty(principalType) ? any(principalType) : null delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null condition: !empty(condition) ? condition : null diff --git a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep index 01ea8ceec6..9ac08cb0ea 100644 --- a/arm/Microsoft.Authorization/roleAssignments/deploy.bicep +++ b/arm/Microsoft.Authorization/roleAssignments/deploy.bicep @@ -33,8 +33,16 @@ param condition string = '' ]) param conditionVersion string = '2.0' -@sys.description('Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device"') -param principalType string = 'ServicePrincipal' +@sys.description('Optional. The principal type of the assigned principal ID.') +@allowed([ + 'ServicePrincipal' + 'Group' + 'User' + 'ForeignGroup' + 'Device' + '' +]) +param principalType string = '' module roleAssignment_mg '.bicep/nested_rbac_mg.bicep' = if (!empty(managementGroupId) && empty(subscriptionId) && empty(resourceGroupName)) { name: '${uniqueString(deployment().name, location)}-RoleAssignment-MG-Module' diff --git a/arm/Microsoft.Authorization/roleAssignments/readme.md b/arm/Microsoft.Authorization/roleAssignments/readme.md index ed38221b01..85d6286130 100644 --- a/arm/Microsoft.Authorization/roleAssignments/readme.md +++ b/arm/Microsoft.Authorization/roleAssignments/readme.md @@ -6,7 +6,7 @@ This module deploys Role Assignments. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Authorization/roleAssignments` | 2021-04-01-preview | ## Parameters @@ -14,12 +14,12 @@ This module deploys Role Assignments. | :-- | :-- | :-- | :-- | :-- | | `condition` | string | | | Optional. The conditions on the role assignment. This limits the resources it can be assigned to | | `conditionVersion` | string | `2.0` | `[2.0]` | Optional. Version of the condition. Currently accepted value is "2.0" | -| `delegatedManagedIdentityResourceId` | string | | | Optional. Id of the delegated managed identity resource | +| `delegatedManagedIdentityResourceId` | string | | | Optional. ID of the delegated managed identity resource | | `description` | string | | | Optional. Description of role assignment | | `location` | string | `[deployment().location]` | | Optional. Location for all resources. | | `managementGroupId` | string | | | Optional. Group ID of the Management Group to assign the RBAC role to. If no Subscription is provided, the module deploys at management group level, therefore assigns the provided RBAC role to the management group. | | `principalId` | string | | | Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity) | -| `principalType` | string | `ServicePrincipal` | | Optional. The principal type of the assigned principal ID. Allowed Values "ServicePrincipal", "Group", "User", "ForeignGroup", "Device" | +| `principalType` | string | '' | `[ServicePrincipal, Group, User, ForeignGroup, Device, ]` | Optional. The principal type of the assigned principal ID. | | `resourceGroupName` | string | | | Optional. Name of the Resource Group to assign the RBAC role to. If no Resource Group name is provided, and Subscription ID is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | | `roleDefinitionIdOrName` | string | | | Required. You can provide either the display name of the role definition, or it's fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' | | `subscriptionId` | string | | | Optional. Subscription ID of the subscription to assign the RBAC role to. If no Resource Group name is provided, the module deploys at subscription level, therefore assigns the provided RBAC role to the subscription. | @@ -75,4 +75,4 @@ This module can be deployed at the management group, subscription or resource gr ## Template references -- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-08-01-preview/roleAssignments)