RBAC - Modification / Removal in BICEP

[HariRajan2014]

Hi ,

I am working RBAC assignment in bicep and got stuck in an issue , requesting your help on the same please.
These are the things which I am trying to achieve and please find the status over here.

• [1] RBAC Policy -Role creation
• [2] RBAC Assignment at Management Groups level
• [3] RBAC Removal at Management Groups level.

As you know RBAC is an operational governance stuff so there will be RBAC assignment and removal very often in an environment . I am trying to do the same using bicep and one of the principle which I have taken while developing it was to make it more simple. Since my thought process was to make it simple and very scalable approach , I thought to orchestrate it using below logic.

• Capture each Management Group's RBAC assignment as an object (aka environment file) . This is the mirrored copy of the RBAC of the management groups. Someone looking into this file can easily understand that below identities are assigned with these roles in each mg's.
• New access should be granted with lesser steps and easy deployment should be possible .
• Access should be exactly replicated to azure portal as mentioned the environment file.

But I got stuck with a modification update issue and would like to know how this can be resolved.

Scenario : let say in the first deployment pass , I have assigned below security groups starting with mg1 and mg2 to a role and in the second deployment cycle , I have removed mg2 and replaced with a security group called mg3. Once the deployment is completed we can see that all three security groups are assigned with this role but what I need is only mg1 and mg3 should be assigned with the role when the second deployment completes.

Current problem is only with RBAC assignment and removal as it is not doing the modifications as it is needed. What I am trying to achieve is to keep the rbac assignment as mentioned in the environment file and if we take above scenario as example again , the role should only be associated with mg1 and mg2 as I stated.

As like RBAC assignment ,can I do the RBAC removal as well using another resource block please.

The reason I have used a for loop for RBAC assignment is that to make the RBAC assignment and removal simple. let say if we need to do give access to new security group to existing role , just add it in the environment file then do the deployment and no need to do any code level change.

Please let me know how I can solve this . thank you .

First Pass Inputs

        AccessGrantedADObjectIds: [
          {
            Name : 'mg1testgroup'
            Objectid: '17ea184b-e6e6-4fec-a0d7-878ce5d85d49' 
            ObjectidType: 'security group'
          }
          {
              Name : 'mg2testgroup'
              Objectid: 'a00e2425-4ab2-4b50-9a6f-8c1df5bccf78'
              ObjectidType: 'security group'
          }
        ]

Second Pass Inputs

AccessGrantedADObjectIds: [
{
Name : 'mg1testgroup'
Objectid: '17ea184b-e6e6-4fec-a0d7-878ce5d85d49'
ObjectidType: 'security group'
}
{
Name : 'mg3testgroup'
Objectid: 'B00e2425-4ab2-4b50-9a6f-8c1df5bccfB1'
ObjectidType: 'security group'
}
]

---- Code ---------

main.bicep

targetScope = 'managementGroup'

var v_MGgroupDefinition = {
  mg1: {
    name: 'testmg1'
    id: '10000000-100-1000-1000-10000000000'
    MgDescription: ' this is a test mg,  '
    rbacproperties: {
        contributor:  {

            RoleName: 'contributor' 
            RoleDescription: 'Custom role for user access and management of the this Group and all subscriptions'
            id: '20000000-100-1000-1000-100000000'
            
            AccessGrantedADObjectIds: [
              {
                Name : 'mg1testgroup'
                Objectid: '17ea184b-e6e6-4fec-a0d7-878ce5d85d49' 
                ObjectidType: 'security group'
              }
              {
                  Name : 'mg2testgroup2'
                  Objectid: 'a00e2425-4ab2-4b50-9a6f-8c1df5bccf78'
                  ObjectidType: 'security group'
              }
            ]

    }

    auditor: {

            RoleName: 'auditor' 
            RoleDescription: 'Custom role for user access and management of the this Group and all subscriptions'
            id: '30000000-100-1000-1000-100000000'
            AccessGrantedADObjectIds: [
              {
                Name : 'mg1testgroup'
                Objectid: '17ea184b-e6e6-4fec-a0d7-878ce5d85d49' 
                ObjectidType: 'security group'
              }
              {
                Name : 'mg2testgroup'
                Objectid: 'a00e2425-4ab2-4b50-9a6f-8c1df5bccf78'
                ObjectidType: 'security group'
         
              }
             
       
         
            ]
    }
    automation: {

      RoleName: 'automation' 
      RoleDescription: 'Custom role for user access and management of the this Group and all subscriptions'
      id: '40000000-100-1000-1000-100000000'
      AccessGrantedADObjectIds: [
        {
          
        }
       
      ]
}
     }
      }

/ first role creation and each management group is a module.


module m_mg1_rbac './modules-mg/azure-rbac-roles-mg1-01.bicep'= {
  name:v_MGgroupDefinition .mg1.name
  scope:managementGroup(v_MGgroupDefinition.mg1.name)
  params: {
  v_managementGroupName:v_MGgroupDefinition .mg1.name
  v_roledefinitionuniqueid:v_MGgroupDefinition.mg1.id
  v_mgrbacproperties: v_MGgroupDefinition.mg1.rbacproperties

  }
  }

azure-rbac-roles-mg1-01.bicep

// Name of the MG = MG1

targetScope = 'managementGroup'


param v_managementGroupName string
param v_roledefinitionuniqueid  string
param v_mgrbacproperties object



// RBAC 1 - Contributor

resource r_mg1_mgt_sdlc_01_contributor 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
  name: guid(v_managementGroupName,v_roledefinitionuniqueid,v_mgrbacproperties.contributor.id)
    properties: {
    roleName: '${v_managementGroupName}_contributor'
    description: 'Custom role for user access and management of the ${v_managementGroupName} Group and all subscriptions'
    type: 'CustomRole'
    permissions: [
      {
        actions: [
          '*'
        ]
        notActions: [
      'Microsoft.Authorization/*/Delete'
			'Microsoft.Authorization/*/Write'
			'Microsoft.Compute/disks/beginGetAccess/action'
			'Microsoft.Compute/disks/endGetAccess/action'
			'Microsoft.Authorization/elevateAccess/Action/*'
			'Microsoft.blueprint/blueprintAssignments/Write'
			'Microsoft.Network/publicIPAddresses/write'
			'Microsoft.Network/publicIPAddresses/delete'
			'Microsoft.Network/publicIPAddresses/join/action'
			'Microsoft.blueprint/blueprintAssignments/delete'
        ]
      
      }
    ]
    assignableScopes: [
      '/providers/microsoft.management/managementGroups/${v_managementGroupName}'
    ]
  }
}

//debugging purpose only needed
//output o_r_mg1_mgt_sdlc_01_contributorid string = r_mg1_mgt_sdlc_01_contributor .id
 


// This must be changed to each role.

var ContributorAccessGrantedADObjectIds = union(v_mgrbacproperties.contributor.AccessGrantedADObjectIds, [])


//Returns True if the value is empty; otherwise, False.
var ContributorArrayisempty = empty(ContributorAccessGrantedADObjectIds) 
var ContributorArraycount = length(ContributorAccessGrantedADObjectIds)

//debugging purpose only needed
output arraylength int = ContributorArraycount
output arrayempty bool = ContributorArrayisempty


// batch size turned off due to a bug 
//https://github.com/Azure/bicep/discussions/4386 -Template Validation is failing with a message "invalid copy batch size" while using batchsize decorator and empty array in for loop




//@batchSize(1) 
resource r_mg1_mgt_sdlc_01_contributor_rbac_assignment 'Microsoft.Authorization/roleAssignments@2018-09-01-preview'  = [for principal in ContributorAccessGrantedADObjectIds:  {
  name: guid(r_mg1_mgt_sdlc_01_contributor.id,v_mgrbacproperties.contributor.id,principal.Objectid)
  
  properties: {
    
    //roleDefinitionId: '/providers/${r_tu_mgt_sdlc_01_contributor.id}'
    roleDefinitionId: startsWith(r_mg1_mgt_sdlc_01_contributor.id, 'Microsoft.Authorization') ? '/providers/${r_mg1_mgt_sdlc_01_contributor.id}' : r_mg1_mgt_sdlc_01_contributor.id
    principalId: principal.Objectid
  }
} ]

[brwilkinson]

I wonder if the new Deployment Stacks will be able to target MGs, Subs & RGs since that is where some of the lifecycle capabilities are going to come from. Will have to keep an eye on this and ask some further questions once the private preview is in play (possibly next month?!). Did you get the sign up link for Deployment Stacks? it was available on the past community call.

Sorry no better answer that I can think of at this moment. ARM does not have a remove/cleanup capability at the moment, so you would need to script it out.

FYI below (however not applicable here)

It's difficult to recommend 'Complete' deployment Modes to most customers, since it can be destructive. It also only works on Resource Group Deployments (as far as I know). i.e. not subscription or MG Scopes. Although it seems like it would be a good fit for MG deployments for your scenario if it was enabled/possible.

https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deployment-modes#complete-mode

If you haven't tried Complete Mode (on RG's), please be careful when testing this out. I put some comments on the thread below with some samples.

Anything not defined in your current template/deployment will be removed. Please don't delete anything you want to keep, please test in a dev/sandbox resource group.

Samples here: #1418

[alex-frankel]

Can you clarify a bit more about the scenario of needing to add a role assignment, then quickly remove it? Is this specific to assigning blueprints?

Once we have stacks, in two separate deployments of a stack you could do this:

Stack at Time 0:

• Role Def
• Role assignment:

Updated stack at Time 1:

• Role Def

That will remove the role assignment since it is no longer in the bicep/template code.

That's more of a scenario of needing the role assignment at one point, but then deciding it's not needed later, so you update the definition of the goal state. What's a bit more unusual about this scenario is that you know at the beginning you won't need the role assignment eventually.

cc @bmoore-msft / @apclouds

[brwilkinson]

Alex may be out today, however it seems like you are on the same page ... reference what Alex mentioned about Stacks, I believe that will be the solution that you are searching.

[HariRajan2014]

@brwilkinson @alex-frankel - Thanks. That's good news that the deployment stack can do the removal of resources that are not defined in the template. Also, I hope it supports management group level RBAC's wherein we should be able to achieve all the mg's RBAC in a tenant using a single deployment stack. Looking forward to it. Thank You.

[alex-frankel]

Yes, deployment stacks can be deployed at RG, sub, or MG scopes.

[bmoore-msft]

Just to be really clear - the deploymentStack will remove resources not defined in a template provided they are managedBy the stack and you purge them. IOW, the resources were defined in the template previously used by the stack in the last deployment. That's slightly different than complete mode, that just looks at the scope (i.e. RG) for any resource not defined in the template and then removes it.

[HariRajan2014]

thanks, It is clear now and appreciate your help.