54 строки
2.0 KiB
Bicep
54 строки
2.0 KiB
Bicep
// ----------------------------------------------------------------------------------
|
|
// Copyright (c) Microsoft Corporation.
|
|
// Licensed under the MIT license.
|
|
//
|
|
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
|
|
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
|
|
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
// ----------------------------------------------------------------------------------
|
|
|
|
targetScope = 'managementGroup'
|
|
|
|
@description('Management Group Id for assignable scope.')
|
|
param assignableMgId string
|
|
|
|
var scope = tenantResourceId('Microsoft.Management/managementGroups', assignableMgId)
|
|
var roleName = 'Custom - Landing Zone Subscription Owner'
|
|
var roleDescription = 'Delegated role for subscription owner generated from subscription Owner role.'
|
|
|
|
// Telemetry - Azure customer usage attribution
|
|
// Reference: https://docs.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
|
|
var telemetry = json(loadTextContent('../config/telemetry.json'))
|
|
module telemetryCustomerUsageAttribution '../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
|
|
name: 'pid-${telemetry.customerUsageAttribution.modules.roles}'
|
|
}
|
|
|
|
// Reference: https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access
|
|
resource roleDefn 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
|
|
name: guid(roleName)
|
|
scope: managementGroup()
|
|
properties: {
|
|
roleName: roleName
|
|
description: roleDescription
|
|
permissions: [
|
|
{
|
|
actions: [
|
|
'*'
|
|
]
|
|
notActions: [
|
|
'Microsoft.Authorization/*/write'
|
|
'Microsoft.Network/vpnGateways/*'
|
|
'Microsoft.Network/expressRouteCircuits/*'
|
|
'Microsoft.Network/routeTables/write'
|
|
'Microsoft.Network/vpnSites/*'
|
|
]
|
|
dataActions: []
|
|
notDataActions: []
|
|
}
|
|
]
|
|
assignableScopes: [
|
|
scope
|
|
]
|
|
}
|
|
}
|