reinstate "ARO v4 Development Subnet Contributor" development role definition

2020-01-03 12:11:53 -06:00 · 2020-01-03 12:11:53 -06:00 · 2326214a8a
--- a/deploy/rbac-development.json
+++ b/deploy/rbac-development.json
@ -82,6 +82,27 @@
                "roleName": "ARO v4 Development First Party Managed Resource Group"
            }
        },
+        {
+            "name": "f3fe7bc1-0ef9-4681-a68c-c1fa285d6128",
+            "apiVersion": "2017-09-01",
+            "type": "Microsoft.Authorization/roleDefinitions",
+            "properties": {
+                "assignableScopes": [
+                    "[concat('/subscriptions/', subscription().subscriptionId)]"
+                ],
+                "permissions": [
+                    {
+                        "actions": [
+                            "Microsoft.Network/virtualNetworks/join/action",
+                            "Microsoft.Network/virtualNetworks/subnets/join/action",
+                            "Microsoft.Network/virtualNetworks/subnets/read",
+                            "Microsoft.Network/virtualNetworks/subnets/write"
+                        ]
+                    }
+                ],
+                "roleName": "ARO v4 Development Subnet Contributor"
+            }
+        },
        {
            "name": "[guid(subscription().id, 'FP / ARO v4 FP Subscription')]",
            "apiVersion": "2017-09-01",
--- a/python/az/aro/azext_aro/_rbac.py
+++ b/python/az/aro/azext_aro/_rbac.py
@ -1,6 +1,7 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the Apache License 2.0.

+import os
 import uuid

 from azure.cli.core.commands.client_factory import get_mgmt_service_client
@ -11,6 +12,7 @@ from msrestazure.tools import resource_id


 CONTRIBUTOR = 'b24988ac-6180-42a0-ab88-20f7382dd24c'
+DEVELOPMENT_CONTRIBUTOR = 'f3fe7bc1-0ef9-4681-a68c-c1fa285d6128'


 def assign_contributor_to_vnet(cli_ctx, vnet, object_id):
@ -24,7 +26,7 @@ def assign_contributor_to_vnet(cli_ctx, vnet, object_id):
        subscription=get_subscription_id(cli_ctx),
        namespace='Microsoft.Authorization',
        type='roleDefinitions',
-        name=CONTRIBUTOR,
+        name=DEVELOPMENT_CONTRIBUTOR if rp_mode_development() else CONTRIBUTOR,
    )

    for assignment in list(client.role_assignments.list_for_scope(vnet)):
@ -37,3 +39,7 @@ def assign_contributor_to_vnet(cli_ctx, vnet, object_id):
        principal_id=object_id,
        principal_type='ServicePrincipal',
    ))
+
+
+def rp_mode_development():
+    return os.environ.get('RP_MODE', '').lower() == 'development'
--- a/python/az/aro/azext_aro/custom.py
+++ b/python/az/aro/azext_aro/custom.py
@ -106,6 +106,8 @@ def aro_create(cmd,  # pylint: disable=too-many-locals


 def aro_delete(client, resource_group_name, resource_name, no_wait=False):
+    # TODO: clean up rbac
+
    return sdk_no_wait(no_wait, client.delete,
                       resource_group_name=resource_group_name,
                       resource_name=resource_name)