Saturday 7 August 2021

Role Assignment with Azure Bicep

Assigning roles in Azure resource is required step in infrastructure deployments. Azure Bicep supports assigning roles to Azure resources 'Microsoft.Authorization/roleAssignments' resource template. Let's take an example scenario to identify how to setup role assignment.

To access configurations from the Azure App configuration service in a web app or function app, we have to add 'App Configuration Data Reader' role with the required web app or function app managed identity. Once the role assignement added in app configuration service, the web app can read configurations from the app configuration service.  Let's see how we can use Bicep scripts to add such a role assignement.

We need to create a pricing plan for the web app. Bicpe module code is as follows. We are exposing the plan id as an output paranter.
param planName string
param planSKUName string
param planSKUCapacity int
param planKind string
param location string

resource plan 'Microsoft.Web/serverfarms@2020-12-01' = {
  nameplanName
  locationlocation
  sku: {
    nameplanSKUName
    capacityplanSKUCapacity
    
  }
  kind:planKind

  properties: {
    reservedtrue
  }
}

output planId string = plan.id


We can define web app module as below. Notice that we create a managed identity (system assigned) for the web app and exposing it as an output parameter.
param webappName string
param planId string
param linuxFxVersion string
param location string

resource webapplinux 'Microsoft.Web/sites@2018-11-01' = {
  namewebappName
  locationlocation
  
  identity:{
    type:'SystemAssigned'
  }
  properties: {
    serverFarmIdplanId
    siteConfig:{
      linuxFxVersion:linuxFxVersion
    }
  }
}

output servicePrincipalId string = webapplinux.identity.principalId


Then we can define an app configuration service as below. 

param appconfigName string
param appconfigSKUName string
param webAppId string
param location string
param subscriptionId string = subscription().subscriptionId

resource appconfig 'Microsoft.AppConfiguration/configurationStores@2021-03-01-preview' = {
  name: appconfigName
  location: location
  sku: {
    name: appconfigSKUName
  }
  
  properties: {
    disableLocalAuth: false
    encryption: {}
  }
}

resource appConfigRoleWebApp 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: webAppId
  scope: appconfig
  properties: {
    principalId: webAppId
    principalType: 'ServicePrincipal'
    roleDefinitionId: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071'
  }
}

In above code note w=that we have used the same managed identity GUID in role assignment name as well, as it requires a unique GUID. Role definition id of the 'App Configuration Data Reader' role is specified in below format.

'/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/
roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071'

516239f1-63e1-4d78-a4de-a74fb236a071 is the id of the 'App Configuration Data Reader'. You can find the ids of built in Azure roles from here.

To use all above together in the main bicep you can define Bicep code as below. Notice that we have set  a depend on web app for app configuration service as we need web app managed identity in the app config service module to create the role assignement.

targetScope='subscription'
param rgName string = 'rg-chbicepdemo-001'
param rgLocation string = 'eastus'

param planName string = 'plan-bicepdemo-001'
param planSKUName string = 'B3'
param planSKUCapacity int = 1
param planKind string = 'linux'

param webappName string = 'app-bicepdemo-001'
param linuxFxVersion string = 'node|14-lts'

param appconfigName string = 'appcs-bicepdemo-001'
param appconfigSKUName string = 'Standard'

resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  namergName
  locationrgLocation
  tags:{
    'tag''bicepdemo'   
  }
}

module webappplan 'pricingplan.bicep' = {
  name'plan'
  scope:rg
  params:{
    location:rgLocation
    planKind:planKind
    planName:planName
    planSKUCapacity:planSKUCapacity
    planSKUName:planSKUName
  }
}

module webapp 'webapplinux.bicep' = {
  name'webapp'
  scope:rg
  params:{
    location:rgLocation
    linuxFxVersion:linuxFxVersion
    planId:webappplan.outputs.planId
    webappName:webappName
  }
}

module appconfig 'appconfig.bicep' = {
  name'appconfig'
  scope:rg
  params:{
    appconfigName:appconfigName
    appconfigSKUName:appconfigSKUName
    locationrgLocation
    webAppIdwebapp.outputs.servicePrincipalId
  }

  dependsOn:[
    webapp
  ]
}



Once you run the Bicep script using command line below or using a Azure DevOps pipeline as shown here , the resources will be deployed and you would be able to see the app config service is added with the role assignment .

az deployment sub create --name 'roledemo001' --location eastus --template-file main.bicep --parameters rgLocation='eastus'


No comments:

Popular Posts