From fc5f4a9ee33063283766d8b84b23c0fffe842d5b Mon Sep 17 00:00:00 2001 From: komalg1 Date: Thu, 18 Jan 2024 00:06:17 +0000 Subject: [PATCH] fix for rbac roles (#206) --- .env.sample | 2 +- infra/deployment.bicep | 166 ++++++- infra/deployment.json | 1072 +++++++++++++++++++++++++++++++++++++++- 3 files changed, 1221 insertions(+), 19 deletions(-) diff --git a/.env.sample b/.env.sample index a6a5aad95..0757696f8 100644 --- a/.env.sample +++ b/.env.sample @@ -49,4 +49,4 @@ ORCHESTRATION_STRATEGY=openai_functions #Speech-to-text feature AZURE_SPEECH_SERVICE_KEY= AZURE_SPEECH_SERVICE_REGION= -AZURE_AUTH_TYPE=keys \ No newline at end of file +AZURE_AUTH_TYPE=rbac \ No newline at end of file diff --git a/infra/deployment.bicep b/infra/deployment.bicep index a8cad04dc..253c1ef43 100644 --- a/infra/deployment.bicep +++ b/infra/deployment.bicep @@ -151,7 +151,7 @@ param newGuidString string = newGuid() 'keys' 'rbac' ]) -param authType string = 'keys' +param authType string = 'rbac' var WebAppImageName = 'DOCKER|fruoccopublic.azurecr.io/rag-webapp' var AdminWebAppImageName = 'DOCKER|fruoccopublic.azurecr.io/rag-adminwebapp' @@ -539,6 +539,7 @@ resource Function 'Microsoft.Web/sites@2018-11-01' = { clientAffinityEnabled: false httpsOnly: true } + identity: { type: authType == 'rbac' ? 'SystemAssigned' : 'None' } } resource FunctionName_default_clientKey 'Microsoft.Web/sites/host/functionKeys@2018-11-01' = { @@ -628,6 +629,39 @@ module cognitiveServicesContributorRoleSearch 'security/role.bicep' = if (authTy } } +// Cognitive Services OpenAI Contributor role +module openAiContributorRoleBackend 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'openai-contributor-role-backend' + params: { + principalId: Website.identity.principalId + roleDefinitionId: 'a001fd3d-188f-4b5d-821b-7da978bf7442' + principalType: 'ServicePrincipal' + } +} + +// Cognitive Services OpenAI Contributor role +module openAiContributorRoleFunction 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'openai-contributor-role-function' + params: { + principalId: Function.identity.principalId + roleDefinitionId: 'a001fd3d-188f-4b5d-821b-7da978bf7442' + principalType: 'ServicePrincipal' + } +} + +// Cognitive Services OpenAI Contributor role +module openAiContributorRoleAdmin 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'openai-contributor-role-admin' + params: { + principalId: WebsiteName_admin.identity.principalId + roleDefinitionId: 'a001fd3d-188f-4b5d-821b-7da978bf7442' + principalType: 'ServicePrincipal' + } +} + // Cognitive Services OpenAI User role module openAiRoleBackend 'security/role.bicep' = if (authType == 'rbac') { scope: resourceGroup() @@ -661,6 +695,39 @@ module searchServiceRoleOpenAi 'security/role.bicep' = if (authType == 'rbac') { } } +// Search Service Contributor role +module searchServiceRoleBackend 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-service-role-backend' + params: { + principalId: Website.identity.principalId + roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0' + principalType: 'ServicePrincipal' + } +} + +// Search Service Contributor role +module searchServiceRoleFunction 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-service-role-function' + params: { + principalId: Function.identity.principalId + roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0' + principalType: 'ServicePrincipal' + } +} + +// Search Service Contributor role +module searchServiceRoleAdmin 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-service-role-admin' + params: { + principalId: WebsiteName_admin.identity.principalId + roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0' + principalType: 'ServicePrincipal' + } +} + // Search Index Data Reader role module searchRoleBackend 'security/role.bicep' = if (authType == 'rbac') { scope: resourceGroup() @@ -671,3 +738,100 @@ module searchRoleBackend 'security/role.bicep' = if (authType == 'rbac') { principalType: 'ServicePrincipal' } } + +module storageRoleBackend 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'storage-role-backend' + params: { + principalId: Website.identity.principalId + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + principalType: 'ServicePrincipal' + } +} + +module storageRoleFunction 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'storage-role-function' + params: { + principalId: Function.identity.principalId + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + principalType: 'ServicePrincipal' + } +} + +module storageRoleAdmin 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'storage-role-admin' + params: { + principalId: WebsiteName_admin.identity.principalId + roleDefinitionId: '2a2b9908-6ea1-4ae2-8e65-a410df84e7d1' + principalType: 'ServicePrincipal' + } +} + +// Used to read index definitions (required when using authentication) +// https://learn.microsoft.com/azure/search/search-security-rbac +module searchReaderRoleBackend 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-reader-role-backend' + params: { + principalId: Website.identity.principalId + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + principalType: 'ServicePrincipal' + } +} + +// Reader +module searchReaderRoleFunction 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-reader-role-function' + params: { + principalId: Function.identity.principalId + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + principalType: 'ServicePrincipal' + } +} + +// Reader +module searchReaderRoleAdmin 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-reader-role-admin' + params: { + principalId: WebsiteName_admin.identity.principalId + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + principalType: 'ServicePrincipal' + } +} + +// Search Index Data Contributor +module searchIndexDataContBackend 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-index-data-cont-backend' + params: { + principalId: Website.identity.principalId + roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7' + principalType: 'ServicePrincipal' + } +} + +// Search Index Data Contributor +module searchIndexDataContFunction 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-index-data-cont-function' + params: { + principalId: Function.identity.principalId + roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7' + principalType: 'ServicePrincipal' + } +} + +// Search Index Data Contributor +module searchIndexDataContAdmin 'security/role.bicep' = if (authType == 'rbac') { + scope: resourceGroup() + name: 'search-index-data-cont-admin' + params: { + principalId: WebsiteName_admin.identity.principalId + roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7' + principalType: 'ServicePrincipal' + } +} diff --git a/infra/deployment.json b/infra/deployment.json index 27f0211bd..e2e97f37a 100644 --- a/infra/deployment.json +++ b/infra/deployment.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "10256225358486194260" + "version": "0.23.1.45101", + "templateHash": "13050051972128390923" } }, "parameters": { @@ -325,7 +325,7 @@ }, "authType": { "type": "string", - "defaultValue": "keys", + "defaultValue": "rbac", "allowedValues": [ "keys", "rbac" @@ -1043,6 +1043,9 @@ "clientAffinityEnabled": false, "httpsOnly": true }, + "identity": { + "type": "[if(equals(parameters('authType'), 'rbac'), 'SystemAssigned', 'None')]" + }, "dependsOn": [ "[resourceId('Microsoft.Insights/components', parameters('ApplicationInsightsName'))]", "[resourceId('Microsoft.Web/serverfarms', parameters('HostingPlanName'))]", @@ -1153,8 +1156,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2184194315885104837" + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" }, "description": "Creates a role assignment for a service principal." }, @@ -1222,8 +1225,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2184194315885104837" + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" }, "description": "Creates a role assignment for a service principal." }, @@ -1264,6 +1267,213 @@ "[resourceId('Microsoft.Search/searchServices', parameters('AzureCognitiveSearch'))]" ] }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "openai-contributor-role-backend", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('WebsiteName')), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "a001fd3d-188f-4b5d-821b-7da978bf7442" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('WebsiteName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "openai-contributor-role-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2018-11-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "a001fd3d-188f-4b5d-821b-7da978bf7442" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "openai-contributor-role-admin", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName'))), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "a001fd3d-188f-4b5d-821b-7da978bf7442" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName')))]" + ] + }, { "condition": "[equals(parameters('authType'), 'rbac')]", "type": "Microsoft.Resources/deployments", @@ -1291,8 +1501,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2184194315885104837" + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" }, "description": "Creates a role assignment for a service principal." }, @@ -1360,8 +1570,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2184194315885104837" + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" }, "description": "Creates a role assignment for a service principal." }, @@ -1429,8 +1639,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2184194315885104837" + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" }, "description": "Creates a role assignment for a service principal." }, @@ -1475,7 +1685,7 @@ "condition": "[equals(parameters('authType'), 'rbac')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "search-role-backend", + "name": "search-service-role-backend", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1486,7 +1696,7 @@ "value": "[reference(resourceId('Microsoft.Web/sites', parameters('WebsiteName')), '2020-06-01', 'full').identity.principalId]" }, "roleDefinitionId": { - "value": "1407120a-92aa-4202-b7e9-c0e197c71c8f" + "value": "7ca78c08-252a-4471-8644-bb5ff32d4ba0" }, "principalType": { "value": "ServicePrincipal" @@ -1498,8 +1708,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.24.24.22086", - "templateHash": "2184194315885104837" + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" }, "description": "Creates a role assignment for a service principal." }, @@ -1539,6 +1749,834 @@ "dependsOn": [ "[resourceId('Microsoft.Web/sites', parameters('WebsiteName'))]" ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-service-role-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2018-11-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "7ca78c08-252a-4471-8644-bb5ff32d4ba0" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-service-role-admin", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName'))), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "7ca78c08-252a-4471-8644-bb5ff32d4ba0" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName')))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-role-backend", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('WebsiteName')), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "1407120a-92aa-4202-b7e9-c0e197c71c8f" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('WebsiteName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage-role-backend", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('WebsiteName')), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('WebsiteName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage-role-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2018-11-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "storage-role-admin", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName'))), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "2a2b9908-6ea1-4ae2-8e65-a410df84e7d1" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName')))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-reader-role-backend", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('WebsiteName')), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('WebsiteName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-reader-role-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2018-11-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-reader-role-admin", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName'))), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName')))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-index-data-cont-backend", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('WebsiteName')), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "8ebe5a00-799e-43f5-93ac-243d3dce84a7" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('WebsiteName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-index-data-cont-function", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', parameters('FunctionName')), '2018-11-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "8ebe5a00-799e-43f5-93ac-243d3dce84a7" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', parameters('FunctionName'))]" + ] + }, + { + "condition": "[equals(parameters('authType'), 'rbac')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "search-index-data-cont-admin", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "principalId": { + "value": "[reference(resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName'))), '2020-06-01', 'full').identity.principalId]" + }, + "roleDefinitionId": { + "value": "8ebe5a00-799e-43f5-93ac-243d3dce84a7" + }, + "principalType": { + "value": "ServicePrincipal" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.23.1.45101", + "templateHash": "8211880587811090337" + }, + "description": "Creates a role assignment for a service principal." + }, + "parameters": { + "principalId": { + "type": "string" + }, + "principalType": { + "type": "string", + "defaultValue": "ServicePrincipal", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ] + }, + "roleDefinitionId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "name": "[guid(subscription().id, resourceGroup().id, parameters('principalId'), parameters('roleDefinitionId'))]", + "properties": { + "principalId": "[parameters('principalId')]", + "principalType": "[parameters('principalType')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/sites', format('{0}-admin', parameters('WebsiteName')))]" + ] } ] } \ No newline at end of file