Skip to content

Commit

Permalink
Fix Organizational Azure ARM template (#2028)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kubasobon
kubasobon authored Mar 13, 2024
1 parent 724a151 commit 36b608b
Show file tree
Hide file tree
Showing 2 changed files with 91 additions and 31 deletions.
58 changes: 37 additions & 21 deletions deploy/azure/ARM-for-organization-account.dev.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,8 +50,8 @@
},
"variables": {
"resourceGroupDeployment": "[concat('resource-group-deployment-', deployment().location)]",
"roleAssignmentDeployment": "[concat('role-assignment-deployment-', deployment().name)]",
"roleGUID": "[guid(subscription().subscriptionId)]"
"roleAssignmentDeployment": "[concat('role-assignment-deployment-', deployment().location)]",
"roleGUID": "[guid(parameters('SubscriptionId'))]"
},
"resources": [
{
Expand Down Expand Up @@ -106,6 +106,12 @@
},
"mode": "Incremental",
"parameters": {
"AdditionalRoleGUID": {
"value": "[variables('roleGUID')]"
},
"ManagementGroupID": {
"value": "[managementGroup().id]"
},
"ResourceGroupName": {
"value": "[parameters('ResourceGroupName')]"
},
Expand All @@ -117,6 +123,12 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AdditionalRoleGUID": {
"type": "string"
},
"ManagementGroupID": {
"type": "string"
},
"ResourceGroupName": {
"type": "string"
},
Expand All @@ -128,7 +140,7 @@
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(managementGroup().id, parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name)]",
"name": "[guid(parameters('ManagementGroupID'), parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'securityaudit')]",
"properties": {
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]",
Expand All @@ -138,10 +150,10 @@
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name)]",
"name": "[guid(parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'additional-role')]",
"properties": {
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('roleGUID'))]",
"principalId": "[reference(resourceId(subscription().subscriptionId, parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]",
"principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
Expand All @@ -163,10 +175,20 @@
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"PublicKeyDevOnly": {
"value": "[parameters('PublicKeyDevOnly')]"
}
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"PublicKeyDevOnly": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
Expand Down Expand Up @@ -294,24 +316,28 @@
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "[variables('roleGUID')]",
"name": "[parameters('AdditionalRoleGUID')]",
"properties": {
"assignableScopes": [
"/"
"[parameters('ManagementGroupID')]",
"[concat('/subscriptions/', parameters('SubscriptionId'))]",
"[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'))]"
],
"description": "Additional read permissions for cloudbeatVM",
"permissions": [
{
"actions": [
"Microsoft.Web/sites/*/read"
"Microsoft.Web/sites/*/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "cloudbeatVM additional permissions",
"type": "Microsoft.Authorization/roleDefinitions"
"type": "CustomRole"
}
},
{
Expand Down Expand Up @@ -346,17 +372,7 @@
]
}
}
],
"parameters": {
"PublicKeyDevOnly": {
"type": "string"
}
}
},
"parameters": {
"PublicKeyDevOnly": {
"value": "[parameters('PublicKeyDevOnly')]"
}
]
}
},
"dependsOn": [
Expand Down
64 changes: 54 additions & 10 deletions deploy/azure/ARM-for-organization-account.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,8 @@
},
"variables": {
"resourceGroupDeployment": "[concat('resource-group-deployment-', deployment().location)]",
"roleAssignmentDeployment": "[concat('role-assignment-deployment-', deployment().name)]",
"roleGUID": "[guid(subscription().subscriptionId)]"
"roleAssignmentDeployment": "[concat('role-assignment-deployment-', deployment().location)]",
"roleGUID": "[guid(parameters('SubscriptionId'))]"
},
"resources": [
{
Expand Down Expand Up @@ -100,6 +100,12 @@
},
"mode": "Incremental",
"parameters": {
"AdditionalRoleGUID": {
"value": "[variables('roleGUID')]"
},
"ManagementGroupID": {
"value": "[managementGroup().id]"
},
"ResourceGroupName": {
"value": "[parameters('ResourceGroupName')]"
},
Expand All @@ -111,6 +117,12 @@
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AdditionalRoleGUID": {
"type": "string"
},
"ManagementGroupID": {
"type": "string"
},
"ResourceGroupName": {
"type": "string"
},
Expand All @@ -122,7 +134,7 @@
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(managementGroup().id, parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name)]",
"name": "[guid(parameters('ManagementGroupID'), parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'securityaudit')]",
"properties": {
"roleDefinitionId": "/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7",
"principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]",
Expand All @@ -132,10 +144,10 @@
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[guid(subscription().id, parameters('ResourceGroupName'), deployment().name)]",
"name": "[guid(parameters('SubscriptionId'), parameters('ResourceGroupName'), deployment().name, 'additional-role')]",
"properties": {
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('roleGUID'))]",
"principalId": "[reference(resourceId(subscription().subscriptionId, parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('AdditionalRoleGUID'))]",
"principalId": "[reference(resourceId(parameters('SubscriptionId'), parameters('ResourceGroupName'), 'Microsoft.Compute/virtualMachines', 'cloudbeatVM'), '2019-07-01', 'Full').identity.principalId]",
"principalType": "ServicePrincipal"
}
}
Expand All @@ -157,10 +169,38 @@
"expressionEvaluationOptions": {
"scope": "inner"
},
"parameters": {
"AdditionalRoleGUID": {
"value": "[variables('roleGUID')]"
},
"ManagementGroupID": {
"value": "[managementGroup().id]"
},
"ResourceGroupName": {
"value": "[parameters('ResourceGroupName')]"
},
"SubscriptionId": {
"value": "[parameters('SubscriptionId')]"
}
},
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"AdditionalRoleGUID": {
"type": "string"
},
"ManagementGroupID": {
"type": "string"
},
"ResourceGroupName": {
"type": "string"
},
"SubscriptionId": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines",
Expand Down Expand Up @@ -293,24 +333,28 @@
{
"type": "Microsoft.Authorization/roleDefinitions",
"apiVersion": "2022-04-01",
"name": "[variables('roleGUID')]",
"name": "[parameters('AdditionalRoleGUID')]",
"properties": {
"assignableScopes": [
"/"
"[parameters('ManagementGroupID')]",
"[concat('/subscriptions/', parameters('SubscriptionId'))]",
"[concat('/subscriptions/', parameters('SubscriptionId'), '/resourcegroups/', parameters('ResourceGroupName'))]"
],
"description": "Additional read permissions for cloudbeatVM",
"permissions": [
{
"actions": [
"Microsoft.Web/sites/*/read"
"Microsoft.Web/sites/*/read",
"Microsoft.Web/sites/config/Read",
"Microsoft.Web/sites/config/list/Action"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "cloudbeatVM additional permissions",
"type": "Microsoft.Authorization/roleDefinitions"
"type": "CustomRole"
}
}
]
Expand Down

0 comments on commit 36b608b

Please sign in to comment.