Azure Bicep - Role assignment - Principal does not exist in the directory - azure

I've created a Bicep template. In it I create a user-assigned identity and reference it in other resources like this
var identityName = 'mid-dd-test'
var roleName = 'TestRole'
var roleDescription = 'Some test'
var roleScopes = [
resourceGroup().id
]
var resolvedActions = [
'Microsoft.Resources/subscriptions/resourcegroups/*'
'Microsoft.Compute/sshPublicKeys/*'
]
var permittedDataActions = []
resource userId 'Microsoft.ManagedIdentity/userAssignedIdentities#2018-11-30' = {
name: identityName
location: resourceGroup().location
}
resource roleDef 'Microsoft.Authorization/roleDefinitions#2018-01-01-preview' = {
name: guid(subscription().id, 'bicep', 'dsadsd')
properties: {
roleName: roleName
description: roleDescription
type: 'customRole'
assignableScopes: roleScopes
permissions: [
{
actions: resolvedActions
dataActions: permittedDataActions
}
]
}
}
resource roles 'Microsoft.Authorization/roleAssignments#2018-09-01-preview' = {
name: guid(subscription().id, 'bicep-roleassignments', 'dsddsd')
properties: {
principalId: userId.properties.principalId
roleDefinitionId: roleDef.id
}
}
Whenever I deploy this I need 2 runs. The first run ends in the error message:
Principal XXX does not exist in the directory YYY
where XXX would be a principal id the user-assigned identity has and YYY is my tenant id. If I now look into the portal the identity is created and XXX is the correct id.
So when I now simply re-run the deployment it works.
I consider it a bug in dependsOn which should relate to ARM templates and not Bicep. I could not find any place where I can report ARM template issues to Microsoft.
I'm asking to assure that I do not miss something else here.
Edit: Added complete working sample which shows the bug. To use it, copy the script content into a test.bicep locally. Then create a resource group (lets call it "rg-test"), ensure that your local POSH context is set correctly and execute the following line in the folder where you stored the bicep in:
New-AzResourceGroupDeployment -Name deploy -Mode Incremental -TemplateFile .\test.bicep -ResourceGroupName rg-test


In the role assignment, you need to specify the principalType to ServicePrincipal and also use an api version greater or equal than: 2018-09-01-preview.
When you create a service principal, it is created in an Azure AD. It takes some time for the service principal to be replicated globally. By setting the principalType to ServicePrincipal, it tells the ARM API t0 wait for the replication.
resource roles 'Microsoft.Authorization/roleAssignments#2018-09-01-preview' = {
name: guid(subscription().id, 'bicep-roleassignments', 'dsddsd')
properties: {
principalId: userId.properties.principalId
roleDefinitionId: roleDef.id
principalType: 'ServicePrincipal'
}
}


You need to reference a newly created identity inside identity property of the target resource. dependsOn is redundant because bicep creates resources in the correct order based on actual usage:
resource userId 'Microsoft.ManagedIdentity/userAssignedIdentities#2018-11-30' = {
name: 'myidentity'
location: resourceGroup().location
}
resource appService 'Microsoft.Web/sites#2021-02-01' = {
name: 'appserviceName'
location: resourceGroup().location
properties: {
//...
}
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'/subscriptions/{your_subscription_id}/resourceGroups/${resourceGroup().name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${userId.name}': {}
}
}
}
The documentation doesn't recommend to use dependsOn without as strong reason:
In most cases, you can use a symbolic name to imply the
dependency between resources. If you find yourself setting explicit
dependencies, you should consider if there's a way to remove it.


So bicep does not require the dependsOn segment if referencing the property correctly.
Need to reference the properties.principalId of the userId in the resource block.
So would look like:
userId.properties.principalId
Here's a quickstart that calls out in a working example how this would work.

Related

Secret scoped role definition and assignment using bicep

I am trying to create two reusable bicep modules to allow reading specific secrets in chosen key vaults. To do this, I first declare the role definition:
targetScope = 'subscription'
param subscriptionId string
param resourceGroupName string
param keyVaultName string
param allowedSecrets array
param managementGroupRoot string
var keyVaultScope = '/subscriptions/${subscriptionId}/resourcegroups/${resourceGroupName}/providers/Microsoft.KeyVault/vaults/${keyVaultName}'
var assignableScopes = [for secretName in allowedSecrets: '${keyVaultScope}/secrets/${secretName}']
var roleName = 'Limitied ${keyVaultName} secret reader ${managementGroupRoot}'
// Permissions based on Key Vault Secrets User
// https://www.azadvertizer.net/azrolesadvertizer/4633458b-17de-408a-b874-0445c86b69e6.html
resource key_vault_secrets_user_role_definition 'Microsoft.Authorization/roleDefinitions#2018-01-01-preview' existing = {
name: '4633458b-17de-408a-b874-0445c86b69e6'
}
resource role_definition 'Microsoft.Authorization/roleDefinitions#2018-01-01-preview' = {
name: guid(roleName)
properties: {
roleName: roleName
description: 'Allows reading specific secrets in the ${keyVaultName} key vault in ${managementGroupRoot}'
assignableScopes: assignableScopes
permissions: key_vault_secrets_user_role_definition.properties.permissions
}
}
output roleDefinitionId string = role_definition.id
The role definition creation works well, and it results in this role definition:
{
"assignableScopes": [
"/subscriptions/subscriptionId/resourcegroups/resourceGroupName/providers/Microsoft.KeyVault/vaults/keyVaultName/secrets/secretName",
"/subscriptions/subscriptionId/resourcegroups/resourceGroupName/providers/Microsoft.KeyVault/vaults/keyVaultName/secrets/anotherSecret"
],
"description": "Allows reading specific secrets in the xxx} key vault in xxx",
"id": "/subscriptions/xxx/providers/Microsoft.Authorization/roleDefinitions/xxx",
"name": "c64aa8eb-479d-5c2d-8f25-b1acb151c0af",
"permissions": [
{
"actions": [],
"dataActions": [
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
"Microsoft.KeyVault/vaults/secrets/readMetadata/action"
],
"notActions": [],
"notDataActions": []
}
],
"roleName": "Limitied key vault secret reader xxx",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Next, I want to assign this role to a service principal. Here's where I'm not entirely clear on the details, but since I want this principal to be able to read n number of individual secrets, I made the assmuption that I would need to iterate on the assignable scopes.
To do that, I have a main file:
targetScope = 'managementGroup'
resource roleDefinition 'Microsoft.Authorization/roleDefinitions#2018-01-01-preview' existing = {
name: roleDefinitionId
}
module example 'module.bicep' = {
name: 'example-${managementGroup().name}'
scope: resourceGroup(keyVaultSubscriptionId, keyVaultResourceGroupName)
params: {
roleDefinitionId: roleDefinitionId
assignableScopes: roleDefinition.properties.assignableScopes
managementGroupName: managementGroup().name
keyVaultName: keyVaultName
}
}
The module then looks like this:
targetScope = 'resourceGroup'
param roleDefinitionId string
param assignableScopes array = []
param managementGroupName string
param keyVaultName string
param principalId string
// Full scope looks like this:
// '/subscriptions/<sub>/resourcegroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault>/<secret>'
// Hence 8 is the secret name
// Also verifies that the secrets exist
var secretNames = [for scope in assignableScopes: split(scope, '/')[8]]
resource secretResources 'Microsoft.KeyVault/vaults/secrets#2021-11-01-preview' existing = [for secret in secretNames: {
name: '${keyVaultName}/${secret}'
}]
// Iterating the secretResources array is not supported, so we iterate the scope which they are based
resource regressionTestKeyVaultReaderAssignment 'Microsoft.Authorization/roleAssignments#2020-04-01-preview' = [for (scope, index) in assignableScopes: {
name: guid(managementGroupName, principalId, scope)
scope: secretResources[index] // Access by index and apply this role assignment to all assignable scopes
properties: {
principalId: principalId
roleDefinitionId: roleDefinitionId
}
}]
However, this fails with the following error:
ERROR: ***"code": "InvalidTemplate", "message": "Deployment template validation failed: 'The template resource 'exmaple-xxx' at line '97' and column '5' is not valid: Unable to evaluate template language function 'extensionResourceId': function requires exactly two multi-segmented arguments. The first must be the parent resource id while the second must be resource type including resource provider namespace. Current function arguments '/providers/Microsoft.Management/managementGroups/ESD,Microsoft.Authorization/roleDefinitions,/subscriptions/***/providers/Microsoft.Authorization/roleDefinitions/xxx'. Please see https://aka.ms/arm-template-expressions/#extensionresourceid for usage details.. Please see https://aka.ms/arm-template-expressions for usage details.'.", "additionalInfo": [***"type": "TemplateViolation", "info": ***"lineNumber": 97, "linePosition": 5, "path": "properties.template.resources[6]"***]***
I am using az to deploy in a GitHub pipeline so I tried to access the request and response, to no avail:
$deployment = az deployment mg create | ConvertFrom-Json // additional params
Write-Host "Request: $(ConvertTo-Json -InputObject $deployment.request)" // Request: null
Write-Host "Response: $(ConvertTo-Json -InputObject $deployment.response)" // Response: null
The error is very cryptic to me and I don't really know what is going on as I'm not even using that utility method that is being referenced. I'm guessing the conversion to ARM does something in the background. vscode says everything is fine and dandy.
What am I doing wrong? My only guess is the scope part of the assignment, but I have no ideas on how to correct it.
Any help would be greatly appreciated.
Update
Some additional information that I found while trying to solve this. The validation of the template fails and the deployment doesn't even start. I built both the main and the module bicep files to see if that would give some additional context. The module looks fine but main has an error on the module resource:
So this is in the main file with targetScope = 'managementGroup', and the module with targetScope = 'resourceGroup' shows no validation errors when built.
Update 2
When compiled to ARM, I see the following value is passed from main to the module:
"assignableScopes": {
"value": "[reference(extensionResourceId(managementGroup().id, 'Microsoft.Authorization/roleDefinitions', parameters('secretReaderRoleDefinitionId')), '2018-01-01-preview').assignableScopes]"
},
AFAICT this is 3 arguments, and the error I get in the GitHub pipeline says:
Unable to evaluate template language function 'extensionResourceId': function requires exactly two multi-segmented arguments.
That doesn't seem to be true when reading the docs about that function.
Update 3
The error is produced in a GitHub pipeline where I'm running on ubuntu-latest. I'm going to replicate the same command locally and see If I can get it to work here in case of a runner issue.
Update 4
Exact same error reproduced outside of the GitHub pipeline.

A couple thoughts...
Creating a custom roleDef with limited assignable scopes doesn't have a ton of value from a security perspective, because the built-in roleDef has the same permissions has a broader scope - and the principal that assigns one would be able to assign the other.
If your goal is to simply iterate over the secrets and assign the role to those secrets all you need is the resourceId of those secrets. It looks like you're trying to pull that list from the roleDefinition (instead of passing to the template) which is possible but seems somewhat complex. That would mean that any time you want to "adjust" this deployment you have to define a new role or modify the existing, both have some downstream consequences. There are a finite number of custom roles that can be defined in a tenant and as you change them you could break existing assignments unintentionally (either remove access or inadvertently give access to new ones).
That said, I don't see that specific error in your code but perhaps a few others - try this:
main.bicep
targetScope = 'managementGroup'
param roleDefinitionId string
param keyVaultSubscriptionId string
param keyVaultResourceGroupName string
param keyVaultName string
param principalId string
resource roleDefinition 'Microsoft.Authorization/roleDefinitions#2018-01-01-preview' existing = {
scope: subscription(keyVaultSubscriptionId)
name: roleDefinitionId
}
module example 'module.bicep' = {
name: 'example-${managementGroup().name}'
scope: resourceGroup(keyVaultSubscriptionId, keyVaultResourceGroupName)
params: {
roleDefinitionId: roleDefinitionId
assignableScopes: roleDefinition.properties.assignableScopes
keyVaultName: keyVaultName
principalId: principalId
}
}
module.bicep
targetScope = 'resourceGroup'
param roleDefinitionId string
param assignableScopes array
param keyVaultName string
param principalId string
var secretNames = [for scope in assignableScopes: last(split(scope, '/'))]
resource secretResources 'Microsoft.KeyVault/vaults/secrets#2021-11-01-preview' existing = [for secret in secretNames: {
name: '${keyVaultName}/${secret}'
}]
resource roleDef 'Microsoft.Authorization/roleDefinitions#2022-04-01' existing = {
name: roleDefinitionId
}
resource regressionTestKeyVaultReaderAssignment 'Microsoft.Authorization/roleAssignments#2020-04-01-preview' = [for (scope, index) in assignableScopes: {
name: guid(roleDef.id, principalId, scope)
scope: secretResources[index]
properties: {
principalId: principalId
roleDefinitionId: roleDef.id
}
}]

Assign Data Reader Role between App Confiugration and App Service in Azure

i would like to do this steps App Configuration -> Access control (IAM) -> Add role assigment -> App Configuration Data Reader -> Assign access to Managed identity -> Select Members (choose my app service) -> Save but instead of using Azure Portal for that, I wanted to use ARM/Bicep template,
I tried something like this:
targetScope = 'resourceGroup'
param principalId string = 'x-x-x-x-x-x-x-x-x'
param roleDefinitionId string = 'x-x-x-x-x-x'
var roleAssignmentName = guid('/', principalId, roleDefinitionId)
resource roleAssignment 'Microsoft.Authorization/roleAssignments#2020-03-01-preview' = {
name: roleAssignmentName
properties: {
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
principalId: principalId
}
}
But there are 2 problems with this solutions. Firstly, I am using this targetScope = resourceGroup which creates this Role inside RG, and then my App Confiugration just inherit it from RG. Probably, the proper solution would be to provide App Configuration name somewhere, so it would be used instead of scoping it to Resource Group.
Also, hard-coding principalId and roleDefinitionId like this feels pretty bad, but f.e I can't access principalID of my Web App by doing something like this:
resource webApp 'Microsoft.Web/sites#2022-03-01' existing = {
name: 'myUniqueWebAppName'
}
param principalId string = webApp.identity.principalId
as it says that This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values.
Also, I don't know how to access roleDefinitionId, I know where to find it in Azure Portal, but no idea how to access it without hard-coding.

Few things :
You can specify the scope fo the roleAssignment using the scope property.
Role Id won't change so hardcoding roleId is not really an issue, you could alway pass it as a parameter as well.
If you create a module to do the role assignment, you would be able to inject the webapp principalId
you can create a module like that:
// app-configuration-role-assignment.bicep
param appConfigurationName string
param principalId string
param roleId string
// Get a reference to app config
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores#2022-05-01' existing = {
name: appConfigurationName
}
// Grant permission
resource appConfigurationRoleAssignment 'Microsoft.Authorization/roleAssignments#2022-04-01' = {
name: guid(appConfiguration.id, roleId, principalId)
scope: appConfiguration
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
}
}
Then from your main you could invoke it and pass the webapp principalId:
// main.bicep
param appConfigurationName string
param webAppName string
// get a reference to webapp
resource webApp 'Microsoft.Web/sites#2022-03-01' existing = {
name: webAppName
}
module roleAssignment 'app-configuration-role-assignment.bicep' = {
name: 'app-configuration-role-assignment-to-webapp'
scope: resourceGroup()
params: {
appConfigurationName: appConfigurationName
principalId: webApp.identity.principalId
roleId: '516239f1-63e1-4d78-a4de-a74fb236a071' // App Configuration Data Reader
}
}

Referencing resource created in one module in another module Azure Bicep?

Suppose I have two files/modules in Azure Bicep, both are called in a 'main.bicep'. One is called 'storage.bicep' and contains, among others, the following code to create a storageAccount:
resource storageAccountTemp 'Microsoft.Storage/storageAccounts#2021-08-01' = {
name: 'tmpst4dnbnlp'
location: location
sku: {
name: storageAccountSku
}
kind: 'StorageV2'
properties: {
allowBlobPublicAccess: false
accessTier: 'Hot'
}
}
Another file contains some LogicApp definitions and is called 'orchestration.bicep'. Now in this file, there is a part where I want to reference the 'storageAccountTemp' resource in module 'storage.bicep', as to provide the LogicApp system managed identity access the contributor role for the:
resource logicAppStorageAccountRoleAssignment 'Microsoft.Authorization/roleAssignments#2020-10-01-preview' = {
scope: 'xxx'
name: guid('ra-logicapp-${roleDefinitionId}')
properties: {
principalType: 'ServicePrincipal'
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
principalId: logicAppTest.identity.principalId
}
}
Where I need to specify the scope (that now says 'xxx'). I can't say resourceGroup() since the storage is in a different resource group. Instead, I want to reference the storageAccountTemp object. This seems impossible to do when the object is in a different module (I tried outputting the name and id and using these but this was not accepted by Bicep.
Is there any way I can actually reference the original storageAccountTemp object from 'storage.bicep' in the 'orchestration.bicep' file?

You need to use an existing resource declaration. So you'll have something like:
resource storageAccountTemp 'Microsoft.Storage/storageAccounts#2021-08-01' existing = {
scope: resourceGroup('blah')
name: 'tmpst4dnbnlp
}
And then you can use that for the scope property on the roleAssignment. How you get blah (the resourceGroup name) and the storageAccount name to the roleAssignment module depends... if the two modules are peers in the orchestrator, then usually those params are known and can be passed to both modules. Failing that you can use outputs from the storage module and pass those in as params to the roleAssignment.
That help?

Azure Bicep - Referencing a variable that cannot be calculated at the start

I need to:
create a data factory
create a storage account
create a function app
add a role assignment for the data factory to the storage account
add a role assignment for the function app to the storage account
The data factory is created in a separate module from the "main" bicep. This is to prevent the "main" template being so large it is difficult to work with - one of the main benefits of bicep over arm templates. Same goes for creation of the function app.
For the role assignment I have:
resource roleAssignment 'Microsoft.Authorization/roleAssignments#2020-08-01-preview' = {
name: guid(storageAccount.id, contributorRoleId, adfDeploy.outputs.dfId)
VSCode then presents the following "problem":
This expression is being used in an assignment to the "name" property
of the "Microsoft.Authorization/roleAssignments" type, which requires
a value that can be calculated at the start of the deployment.
Properties of adfDeploy which can be calculated at the start include
"name".
I can't compose the storageAccount Id from a string (subscription/rg/resource etc.) because the subscription id is also determined at runtime since the same main bicep is called for deployment to multiple subscriptions.
Is there any way to achieve what's needed without pulling back the creation of the data factory and function apps to the "main" bicep?

You could create a generic module for storage role assignment:
// storage-account-role-assignment.bicep
param storageAccountName string
param principalId string
param roleId string
// Get a reference to the storage account
resource storageAccount 'Microsoft.Storage/storageAccounts#2019-06-01' existing = {
name: storageAccountName
}
// Grant permissions to the storage account
resource storageAccountAppRoleAssignment 'Microsoft.Authorization/roleAssignments#2020-04-01-preview' = {
name: guid(storageAccount.id, roleId, principalId)
scope: storageAccount
properties: {
roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
principalId: principalId
}
}
Then invoke this module from where you are creating data factory or function app:
// function-app.bicep
...
resource functionApp 'Microsoft.Web/sites#2021-03-01' = {
name: functionAppName
kind: 'functionapp'
identity: {
type: 'SystemAssigned'
}
...
}
// Create role assignment
module roleAssignment 'storage-account-role-assignment.bicep' = {
name: 'function-storage-account-role-assignment'
scope: resourceGroup()
params:{
storageAccountName: storageAccountName
roleId: '<role-id>'
principalId: functionApp.identity.principalId
}
}
// data-factory.bicep
...
resource dataFactory 'Microsoft.DataFactory/factories#2018-06-01' = {
name: name
identity: {
type: 'SystemAssigned'
}
...
}
// Create role assignment
module roleAssignment 'storage-account-role-assignment.bicep' = {
name: 'data-facory-storage-account-role-assignment'
scope: resourceGroup()
params:{
storageAccountName: storageAccountName
roleId: '<role-id>'
principalId: dataFactory.identity.principalId
}
}

How can I create a resource group and add a key vault to it using Bicep?

I'm trying to create a resource group and add a key vault to it.
However, I'm not able to set the new resource group as a target resource group for the key vault.
How can I have the key vault assigned to the newly created resource group without creating a second Bicep module for it?
var loc = 'westus'
// outputs the newly created resource group
module rgCreate 'test.rg.bicep' = {
scope: subscription()
name: 'rgCreate'
params: {
rgLocation: loc
}
}
resource keyVault 'Microsoft.KeyVault/vaults#2021-10-01' = {
name: 'Test'
location: loc
properties: {
enabledForTemplateDeployment: true
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
}
}
This is the workflow I'm aiming at:

First, if the resource group does not exist, you can't have targetScope = 'resourceGroup' in the main.bicep file. The command az deployment group create will fail:
{"code": "ResourceGroupNotFound", "message": "Resource group '' could not be found."}
You could always trigger the deployment form another resource that already exists (Not sure if it s a good idea tho).
An approach could be to have you main.bicep invoking two modules: one for resource group creation, one for resource creation:
// =========== rg.bicep ===========
// Setting target scope
targetScope = 'subscription'
param name string
param location string
// Creating resource group
resource rg 'Microsoft.Resources/resourceGroups#2021-01-01' = {
name: name
location: location
}
// =========== resources.bicep ===========
param location string = resourceGroup().location
param keyVaultName string
...
//Deploying key vault
resource keyVault 'Microsoft.KeyVault/vaults#2021-10-01' = {
name: keyVaultName
location: location
properties: {
enabledForTemplateDeployment: true
sku: {
family: 'A'
name: 'standard'
}
tenantId: tenant().tenantId
}
}
// Deploying other resources
...
// =========== main.bicep ===========
// Setting target scope
targetScope = 'subscription'
// Parameters
param rgName string = 'test-rg'
param rgLocation string = 'westus'
param keyVaultName string
...
// Creating resource group
module rgModule 'rg.bicep' = {
scope: subscription()
name: '${rgName}-create'
params:{
name: rgName
location: rgLocation
}
}
// Deploying resources in the newly created resource
module resources 'resources.bicep' = {
name: '${rgName}-resources-deployment'
scope: resourceGroup(rgName)
dependsOn: [ rgModule ]
params: {
location: rgLocation
keyVaultName: keyVaultName
...
}
}
To be honest, you could just run az group create command before deploying your template it will make things simpler.

Resources