From 46704be9e0f13af6d63829fafa9fc33f54627403 Mon Sep 17 00:00:00 2001 From: Seif Bassem <38246040+sebassem@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:29:25 +0300 Subject: [PATCH] update parameters files --- ...tGroup.managedIdentity.parameters.all.json | 8 ++++++- ...entGroup.securityGroup.parameters.all.json | 8 ++++++- ...Group.servicePrincipal.parameters.all.json | 8 ++++++- ...upMany.managedIdentity.parameters.all.json | 8 ++++++- ...roupMany.securityGroup.parameters.all.json | 8 ++++++- ...pMany.servicePrincipal.parameters.all.json | 8 ++++++- ...eGroup.managedIdentity.parameters.all.json | 6 +++++ ...rceGroup.securityGroup.parameters.all.json | 6 +++++ ...Group.servicePrincipal.parameters.all.json | 6 +++++ ...upMany.managedIdentity.parameters.all.json | 6 +++++ ...roupMany.securityGroup.parameters.all.json | 6 +++++ ...pMany.servicePrincipal.parameters.all.json | 6 +++++ ...iption.managedIdentity.parameters.all.json | 8 ++++++- ...cription.securityGroup.parameters.all.json | 8 ++++++- ...ption.servicePrincipal.parameters.all.json | 8 ++++++- ...onMany.managedIdentity.parameters.all.json | 8 ++++++- ...tionMany.securityGroup.parameters.all.json | 8 ++++++- ...nMany.servicePrincipal.parameters.all.json | 8 ++++++- ...oleAssignmentResourceGroup.parameters.json | 24 +++++++++++++++++++ 19 files changed, 144 insertions(+), 12 deletions(-) create mode 100644 infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.parameters.json diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json index 12c90c3de..14d2fdc6d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json index 8851ff752..24a9f1f76 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json index 12c90c3de..14d2fdc6d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json index 1e52c0bdd..ff13f60a4 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json index 11fd45b44..197fdfbfc 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.securityGroup.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json index 1e52c0bdd..ff13f60a4 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.servicePrincipal.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json index 391a338c7..14d2fdc6d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.managedIdentity.parameters.all.json @@ -14,6 +14,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json index c5d868fb0..24a9f1f76 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.securityGroup.parameters.all.json @@ -14,6 +14,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json index 391a338c7..14d2fdc6d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroup.servicePrincipal.parameters.all.json @@ -14,6 +14,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json index b710c3995..28d1dd8fd 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.managedIdentity.parameters.all.json @@ -17,6 +17,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json index 84825a5f8..ff5a8c85a 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.securityGroup.parameters.all.json @@ -17,6 +17,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json index b710c3995..28d1dd8fd 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentResourceGroupMany.servicePrincipal.parameters.all.json @@ -17,6 +17,12 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json index 12c90c3de..14d2fdc6d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.managedIdentity.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json index 8851ff752..24a9f1f76 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.securityGroup.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json index 12c90c3de..14d2fdc6d 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscription.servicePrincipal.parameters.all.json @@ -14,8 +14,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json index bae222003..25244f95f 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.managedIdentity.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json index 034a798b5..6e650390e 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.securityGroup.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json index bae222003..25244f95f 100644 --- a/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json +++ b/infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentSubscriptionMany.servicePrincipal.parameters.all.json @@ -17,8 +17,14 @@ "parAssigneeObjectId": { "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + }, "parTelemetryOptOut": { "value": false } } -} \ No newline at end of file +} diff --git a/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.parameters.json b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.parameters.json new file mode 100644 index 000000000..46755bcf0 --- /dev/null +++ b/infra-as-code/bicep/modules/roleAssignments/roleAssignmentResourceGroup.parameters.json @@ -0,0 +1,24 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "parRoleDefinitionId": { + "value": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + }, + "parAssigneePrincipalType": { + "value": "Group" + }, + "parAssigneeObjectId": { + "value": "8e72b851-3ac2-44fc-97c3-3cb17842680d" + }, + "parTelemetryOptOut": { + "value": false + }, + "parRoleAssignmentCondition": { + "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {8e3af657-a8ff-443c-a75c-2fe8c4bcb635,b24988ac-6180-42a0-ab88-20f7382dd24c} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))" + }, + "parRoleAssignmentConditionVersion": { + "value": "2.0" + } + } +}