|
27 | 27 | "devopsServicePrincipalCredentials": { |
28 | 28 | "type": "object" |
29 | 29 | }, |
| 30 | + "additionalPrincipals": { |
| 31 | + "type": "array" |
| 32 | + }, |
30 | 33 | "adlsStorageAccountContainerName": { |
31 | 34 | "type": "string", |
32 | 35 | "defaultValue": "test" |
|
80 | 83 | }, |
81 | 84 | "resources": [ |
82 | 85 | /******************************************************************************************************************************************** |
83 | | - **** Resource group permissions |
| 86 | + **** Dev-Ops Service Principal Permissions (Things not granted by owner/contributor at the RG level) |
84 | 87 | ********************************************************************************************************************************************/ |
85 | 88 |
|
86 | | - // Add the devops service principal as a reader on the resource group (DevTest Labs is configured to create an RG for each lab). |
87 | | - |
88 | | - // // 'Reader' scoped to the resource group. This already exists, here as an example |
89 | | - // { |
90 | | - // "type": "Microsoft.Authorization/roleAssignments", |
91 | | - // "apiVersion": "[variables('authorizationApiVersion')]", |
92 | | - // "name": "[guid(resourceGroup().id, 'devopsServicePrincipal_rg_reader')]", |
93 | | - // "properties": { |
94 | | - // "roleDefinitionId": "[variables('reader')]", |
95 | | - // "principalId": "[parameters('devopsServicePrincipalCredentials').client_object_id]" |
96 | | - // } |
97 | | - // }, |
98 | | - |
99 | | - |
100 | 89 | // 'Storage Blob Data Contributor' scoped to the storage account container |
101 | 90 | { |
102 | 91 | "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments", |
|
143 | 132 |
|
144 | 133 |
|
145 | 134 |
|
146 | | - |
147 | | - |
148 | | - // Add IAM access for functions app. See the following page for details of how to get the object id for the SPN |
149 | | - // https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/ |
| 135 | + /******************************************************************************************************************************************** |
| 136 | + **** Functions App Service Principal Permissions (Allow the functions app to access resources) |
| 137 | + **** |
| 138 | + **** Adds IAM access for functions app. See the following page for details of how to get the object id for the SPN |
| 139 | + **** https://www.codeisahighway.com/there-is-a-new-way-to-reference-managed-identity-in-arm-template/ |
| 140 | + ********************************************************************************************************************************************/ |
150 | 141 |
|
151 | 142 | // 'Reader' scoped to the storage account |
152 | 143 | { |
|
180 | 171 | ] |
181 | 172 | }, |
182 | 173 |
|
| 174 | + |
| 175 | + /******************************************************************************************************************************************** |
| 176 | + **** Additional principals arte added using the additional principals array parameter |
| 177 | + **** |
| 178 | + **** Use the copy() function to loop over the array and add permissions for those users / groups / service principals using their object |
| 179 | + **** id's. |
| 180 | + ********************************************************************************************************************************************/ |
| 181 | + |
| 182 | + // 'Reader' scoped to the resource group. This already exists, here as an example |
| 183 | + { |
| 184 | + "type": "Microsoft.Authorization/roleAssignments", |
| 185 | + "apiVersion": "[variables('authorizationApiVersion')]", |
| 186 | + "name": "[guid(resourceGroup().id, parameters('additionalPrincipals')[copyIndex()])]", |
| 187 | + "properties": { |
| 188 | + "roleDefinitionId": "[variables('reader')]", |
| 189 | + "principalId": "[parameters('additionalPrincipals')[copyIndex()]]" |
| 190 | + }, |
| 191 | + "copy": { |
| 192 | + "name": "principalCopy", |
| 193 | + "count": "[length(parameters('additionalPrincipals'))]" |
| 194 | + } |
| 195 | + }, |
| 196 | + |
| 197 | + // 'Storage Blob Data Contributor' scoped to the storage account container |
| 198 | + { |
| 199 | + "type": "Microsoft.Storage/storageAccounts/blobServices/containers/providers/roleAssignments", |
| 200 | + "name": "[concat(variables('adlsStorageAccountName'), '/default/', parameters('adlsStorageAccountContainerName'), '/Microsoft.Authorization/', guid(resourceGroup().id, parameters('additionalPrincipals')[copyIndex()], variables('adlsStorageAccountName'), parameters('adlsStorageAccountContainerName'), variables('storageBlobDataContributor')))]", |
| 201 | + "apiVersion": "[variables('authorizationApiVersion')]", |
| 202 | + "properties": { |
| 203 | + "roleDefinitionId": "[variables('storageBlobDataContributor')]", |
| 204 | + "principalId": "[parameters('additionalPrincipals')[copyIndex()]]" |
| 205 | + }, |
| 206 | + "dependsOn": [ |
| 207 | + "[concat('Microsoft.Storage/storageAccounts/', variables('adlsStorageAccountName'), '/blobServices/default/containers/', parameters('adlsStorageAccountContainerName'))]" |
| 208 | + ], |
| 209 | + "copy": { |
| 210 | + "name": "principalCopy", |
| 211 | + "count": "[length(parameters('additionalPrincipals'))]" |
| 212 | + } |
| 213 | + }, |
| 214 | + |
| 215 | + // Assign access policies to the key vault. Need to test adding this to the KV template... |
| 216 | + { |
| 217 | + "type": "Microsoft.KeyVault/vaults/accessPolicies", |
| 218 | + "name": "[concat(variables('keyVaultName'), '/add')]", |
| 219 | + "apiVersion": "[variables('keyVaultApiVersion')]", |
| 220 | + "properties": { |
| 221 | + "copy": [ |
| 222 | + { |
| 223 | + "name": "accessPolicies", |
| 224 | + "count": "[length(parameters('additionalPrincipals'))]", |
| 225 | + "input": { |
| 226 | + "tenantId": "[subscription().tenantId]", |
| 227 | + "objectId": "[parameters('additionalPrincipals')[copyIndex('accessPolicies')]]", |
| 228 | + "permissions": { |
| 229 | + "secrets": [ |
| 230 | + "list", |
| 231 | + "get" |
| 232 | + ] |
| 233 | + } |
| 234 | + } |
| 235 | + } |
| 236 | + ] |
| 237 | + }, |
| 238 | + "dependsOn": [ |
| 239 | + "[concat('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]" |
| 240 | + ] |
| 241 | + }, |
| 242 | + |
| 243 | + |
183 | 244 | /******************************************************************************************************************************************** |
184 | 245 | **** ADLS storage |
185 | 246 | ********************************************************************************************************************************************/ |
|
0 commit comments