feat: Storage Account - Simplified File Share RBAC assignment to use …

…one less file & a more bicep-native deployment variant (#4041) ## Description Simplified Storage Account File Share RBAC assignment to use one less file & a more bicep-native deployment variant ## Pipeline Reference  | Pipeline | | -------- | | [![avm.res.storage.storage-account](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml/badge.svg?branch=users%2Falsehr%2FstorageFileShare&event=workflow_dispatch)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml) | ## Type of Change  - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation
Azure · Jan 20, 2025 · ab6c45f · ab6c45f
1 parent 3ac0f34
commit ab6c45f
Show file tree

Hide file tree

Showing 8 changed files with 461 additions and 640 deletions.
diff --git a/avm/res/storage/storage-account/file-service/README.md b/avm/res/storage/storage-account/file-service/README.md
@@ -13,6 +13,7 @@ This module deploys a Storage Account File Share Service.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
 | `Microsoft.Storage/storageAccounts/fileServices` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2023-04-01/storageAccounts/fileServices) |
 | `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2023-01-01/storageAccounts/fileServices/shares) |

diff --git a/avm/res/storage/storage-account/file-service/main.json b/avm/res/storage/storage-account/file-service/main.json
diff --git a/avm/res/storage/storage-account/file-service/share/README.md b/avm/res/storage/storage-account/file-service/share/README.md
@@ -13,6 +13,7 @@ This module deploys a Storage Account File Share.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2023-01-01/storageAccounts/fileServices/shares) |
 
 ## Parameters
@@ -100,6 +101,19 @@ Array of role assignments to create.
 
 - Required: No
 - Type: array
+- Roles configurable by name:
+  - `'Contributor'`
+  - `'Owner'`
+  - `'Reader'`
+  - `'Reader and Data Access'`
+  - `'Role Based Access Control Administrator'`
+  - `'Storage Account Backup Contributor'`
+  - `'Storage Account Contributor'`
+  - `'Storage Account Key Operator Service Role'`
+  - `'Storage File Data SMB Share Contributor'`
+  - `'Storage File Data SMB Share Elevated Contributor'`
+  - `'Storage File Data SMB Share Reader'`
+  - `'User Access Administrator'`
 
 **Required parameters**
 

diff --git a/avm/res/storage/storage-account/file-service/share/main.bicep b/avm/res/storage/storage-account/file-service/share/main.bicep
@@ -43,6 +43,59 @@ import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
+var builtInRoleNames = {
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Reader and Data Access': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'c12c1c16-33a1-487b-954d-41c89c60f349'
+  )
+  'Role Based Access Control Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+  )
+  'Storage Account Backup Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1'
+  )
+  'Storage Account Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '17d1049b-9a84-46fb-8f53-869881c3d3ab'
+  )
+  'Storage Account Key Operator Service Role': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '81a9662b-bebf-436f-a333-f67b29880f12'
+  )
+  'Storage File Data SMB Share Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb'
+  )
+  'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'a7264617-510b-434b-a828-9731dc254ea7'
+  )
+  'Storage File Data SMB Share Reader': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'aba4ae5f-2193-4029-9191-0cb91df5e314'
+  )
+  'User Access Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
+  )
+}
+
+var formattedRoleAssignments = [
+  for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
+    roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
+        roleAssignment.roleDefinitionIdOrName,
+        '/providers/Microsoft.Authorization/roleDefinitions/'
+      )
+      ? roleAssignment.roleDefinitionIdOrName
+      : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
+  })
+]
+
 resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {
   name: storageAccountName
 
@@ -63,13 +116,22 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-0
 }
 
 // NOTE: This is a workaround for a bug of the resource provider. Ref: https://github.com/Azure/bicep-types-az/issues/1532
-module fileShare_roleAssignments 'modules/nested_roleAssignment.bicep' = if (!empty(roleAssignments)) {
-  name: '${uniqueString(deployment().name)}-Share-Rbac'
-  params: {
-    fileShareResourceId: fileShare.id
-    roleAssignments: roleAssignments!
+module fileShare_roleAssignments './modules/nested_inner_roleAssignment.json' = [
+  for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
+    name: '${uniqueString(deployment().name)}-Share-Rbac-${index}'
+    params: {
+      scope: replace(fileShare.id, '/shares/', '/fileshares/')
+      name: roleAssignment.?name ?? guid(fileShare.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
+      roleDefinitionId: roleAssignment.roleDefinitionId
+      principalId: roleAssignment.principalId
+      principalType: roleAssignment.?principalType
+      condition: roleAssignment.?condition
+      conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
+      delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
+      description: roleAssignment.?description
+    }
   }
-}
+]
 
 @description('The name of the deployed file share.')
 output name string = fileShare.name