Role Assignment with Azure Bicep

Assigning roles in Azure resource is required step in infrastructure deployments. Azure Bicep supports assigning roles to Azure resources 'Microsoft.Authorization/roleAssignments' resource template. Let's take an example scenario to identify how to setup role assignment.

To access configurations from the Azure App configuration service in a web app or function app, we have to add 'App Configuration Data Reader' role with the required web app or function app managed identity. Once the role assignement added in app configuration service, the web app can read configurations from the app configuration service.  Let's see how we can use Bicep scripts to add such a role assignement.

We need to create a pricing plan for the web app. Bicpe module code is as follows. We are exposing the plan id as an output paranter.

param planName string

param planSKUName string

param planSKUCapacity int

param planKind string

param location string

resource plan 'Microsoft.Web/serverfarms@2020-12-01' = {

  name: planName

  location: location

  sku: {

    name: planSKUName

    capacity: planSKUCapacity

    

  }

  kind:planKind

  properties: {

    reserved: true

  }

}

output planId string = plan.id

We can define web app module as below. Notice that we create a managed identity (system assigned) for the web app and exposing it as an output parameter.

param webappName string

param planId string

param linuxFxVersion string

param location string

resource webapplinux 'Microsoft.Web/sites@2018-11-01' = {

  name: webappName

  location: location

  

  identity:{

    type:'SystemAssigned'

  }

  properties: {

    serverFarmId: planId

    siteConfig:{

      linuxFxVersion:linuxFxVersion

    }

  }

}

output servicePrincipalId string = webapplinux.identity.principalId

Then we can define an app configuration service as below. 

param appconfigName string
param appconfigSKUName string
param webAppId string
param location string
param subscriptionId string = subscription().subscriptionId

resource appconfig 'Microsoft.AppConfiguration/configurationStores@2021-03-01-preview' = {
  name: appconfigName
  location: location
  sku: {
    name: appconfigSKUName
  }
  
  properties: {
    disableLocalAuth: false
    encryption: {}
  }
}

resource appConfigRoleWebApp 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: webAppId
  scope: appconfig
  properties: {
    principalId: webAppId
    principalType: 'ServicePrincipal'
    roleDefinitionId: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071'
  }
}

In above code note w=that we have used the same managed identity GUID in role assignment name as well, as it requires a unique GUID. Role definition id of the 'App Configuration Data Reader' role is specified in below format.

'/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/

roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071'

516239f1-63e1-4d78-a4de-a74fb236a071 is the id of the 'App Configuration Data Reader'. You can find the ids of built in Azure roles from here.

To use all above together in the main bicep you can define Bicep code as below. Notice that we have set  a depend on web app for app configuration service as we need web app managed identity in the app config service module to create the role assignement.

targetScope='subscription'

param rgName string = 'rg-chbicepdemo-001'

param rgLocation string = 'eastus'

param planName string = 'plan-bicepdemo-001'

param planSKUName string = 'B3'

param planSKUCapacity int = 1

param planKind string = 'linux'

param webappName string = 'app-bicepdemo-001'

param linuxFxVersion string = 'node|14-lts'

param appconfigName string = 'appcs-bicepdemo-001'

param appconfigSKUName string = 'Standard'

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {

  name: rgName

  location: rgLocation

  tags:{

    'tag': 'bicepdemo'   

  }

}

module webappplan 'pricingplan.bicep' = {

  name: 'plan'

  scope:rg

  params:{

    location:rgLocation

    planKind:planKind

    planName:planName

    planSKUCapacity:planSKUCapacity

    planSKUName:planSKUName

  }

}

module webapp 'webapplinux.bicep' = {

  name: 'webapp'

  scope:rg

  params:{

    location:rgLocation

    linuxFxVersion:linuxFxVersion

    planId:webappplan.outputs.planId

    webappName:webappName

  }

}

module appconfig 'appconfig.bicep' = {

  name: 'appconfig'

  scope:rg

  params:{

    appconfigName:appconfigName

    appconfigSKUName:appconfigSKUName

    location: rgLocation

    webAppId: webapp.outputs.servicePrincipalId

  }

  dependsOn:[

    webapp

  ]

}

Once you run the Bicep script using command line below or using a Azure DevOps pipeline as shown here , the resources will be deployed and you would be able to see the app config service is added with the role assignment .

az deployment sub create --name 'roledemo001' --location eastus --template-file main.bicep --parameters rgLocation='eastus'