Fixes bug with ama role assignments (#1593)
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
This commit is contained in:
Arjen Huitema
GitHub
Родитель
cd5370b4dd
Коммит
59b2ca1a2f
|
|
@ -51,6 +51,22 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
|
|||
|
||||
- Add new Regulatory Compliance Policy Assignment flexibility feature
|
||||
- Added ARM template to enable Microsoft Defender for Cloud as part of the deployment. Policies will still remediate additional subscriptions added to ALZ after deployment.
|
||||
- Resolved an issue that prevented the policy remediation from working properly for VM Insights, Change Tracking, Azure Update Manager policies. The root cause was a too restrictive access configuration for the Managed Identity that performs the remediation tasks.
|
||||
- **New deployments will now:**
|
||||
- Add an additional role assignment for VMInsights Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group.
|
||||
- Add an additional role assignment for ChangeTracking Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group.
|
||||
- Add an additional role assignment to Azure Update Manger Policies, granting Managed Identity Operator at the same scope as the assignment.
|
||||
- **To update an existing deployment:**
|
||||
- For each of the VMInsights and ChangeTracking Initiative assignments:
|
||||
- **Only required for the Initiatives assigned to Landing Zones Management group scope**
|
||||
- Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID
|
||||
- Go to Management Groups, select the Platform Management group and go to Access control (IAM)
|
||||
- Add a new role assignment and assign the Reader role the Principal ID that was copied in the first step.
|
||||
- For each of the Azure Update Manger Initiative assignments:
|
||||
- **Applies to the Initiatives assigned to both the Landing Zones and the Platform Management group scopes**
|
||||
- Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID
|
||||
- Go to Management Groups, select the same management group as the assignment you copied the Principal ID from and go to Access control (IAM)
|
||||
- Add a new role assignment and assign the Managed Identity Operator role the Principal ID that was copied in the first step.
|
||||
|
||||
### February 2024
|
||||
|
||||
|
|
|
|||
|
|
@ -3226,6 +3226,9 @@
|
|||
},
|
||||
"scope": {
|
||||
"value": "[variables('scopes').lzsManagementGroup]"
|
||||
},
|
||||
"platformScope": {
|
||||
"value": "[variables('scopes').platformManagementGroup]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -3308,6 +3311,9 @@
|
|||
},
|
||||
"scope": {
|
||||
"value": "[variables('scopes').lzsManagementGroup]"
|
||||
},
|
||||
"platformScope": {
|
||||
"value": "[variables('scopes').platformManagementGroup]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -3376,6 +3382,9 @@
|
|||
},
|
||||
"scope": {
|
||||
"value": "[variables('scopes').lzsManagementGroup]"
|
||||
},
|
||||
"platformScope": {
|
||||
"value": "[variables('scopes').platformManagementGroup]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -3568,6 +3577,9 @@
|
|||
},
|
||||
"scope": {
|
||||
"value": "[variables('scopes').lzsManagementGroup]"
|
||||
},
|
||||
"platformScope": {
|
||||
"value": "[variables('scopes').platformManagementGroup]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -3650,6 +3662,9 @@
|
|||
},
|
||||
"scope": {
|
||||
"value": "[variables('scopes').lzsManagementGroup]"
|
||||
},
|
||||
"platformScope": {
|
||||
"value": "[variables('scopes').platformManagementGroup]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -3718,6 +3733,9 @@
|
|||
},
|
||||
"scope": {
|
||||
"value": "[variables('scopes').lzsManagementGroup]"
|
||||
},
|
||||
"platformScope": {
|
||||
"value": "[variables('scopes').platformManagementGroup]"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -106,6 +106,14 @@
|
|||
"displayName": "Scope",
|
||||
"description": "Scope of the policy assignment"
|
||||
}
|
||||
},
|
||||
"platformScope": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Platform Scope",
|
||||
"description": "Scope of the reader role assignment"
|
||||
},
|
||||
"defaultValue": "[parameters('scope')]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
|
@ -124,9 +132,11 @@
|
|||
},
|
||||
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
|
||||
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
|
||||
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-1',parameters('scope')))]",
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-2',parameters('scope')))]"
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-3',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -186,6 +196,21 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
|
||||
"scope": "[parameters('platformScope')]",
|
||||
"dependsOn": [
|
||||
"[variables('policyAssignmentNames').vmArcChangeTracking]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
|
|
@ -125,6 +125,14 @@
|
|||
"displayName": "Scope",
|
||||
"description": "Scope of the policy assignment"
|
||||
}
|
||||
},
|
||||
"platformScope": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Platform Scope",
|
||||
"description": "Scope of the reader role assignment"
|
||||
},
|
||||
"defaultValue": "[parameters('scope')]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
|
@ -145,11 +153,13 @@
|
|||
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
|
||||
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
|
||||
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
|
||||
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,parameters('scope')))]",
|
||||
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-3',parameters('scope')))]",
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-4',parameters('scope')))]"
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-4',parameters('scope')))]",
|
||||
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-5',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -244,6 +254,21 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
|
||||
"scope": "[parameters('platformScope')]",
|
||||
"dependsOn": [
|
||||
"[variables('policyAssignmentNames').vmChangeTracking]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
|
|
@ -125,6 +125,14 @@
|
|||
"displayName": "Scope",
|
||||
"description": "Scope of the policy assignment"
|
||||
}
|
||||
},
|
||||
"platformScope": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Platform Scope",
|
||||
"description": "Scope of the reader role assignment"
|
||||
},
|
||||
"defaultValue": "[parameters('scope')]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
|
@ -145,11 +153,13 @@
|
|||
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
|
||||
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
|
||||
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
|
||||
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-1',parameters('scope')))]",
|
||||
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-3',parameters('scope')))]",
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-4',parameters('scope')))]"
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-4',parameters('scope')))]",
|
||||
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-5',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -244,6 +254,21 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
|
||||
"scope": "[parameters('platformScope')]",
|
||||
"dependsOn": [
|
||||
"[variables('policyAssignmentNames').vmssChangeTracking]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
|
|
@ -40,6 +40,14 @@
|
|||
"displayName": "Scope",
|
||||
"description": "Scope of the policy assignment"
|
||||
}
|
||||
},
|
||||
"platformScope": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Platform Scope",
|
||||
"description": "Scope of the reader role assignment"
|
||||
},
|
||||
"defaultValue": "[parameters('scope')]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
|
@ -58,9 +66,11 @@
|
|||
},
|
||||
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
|
||||
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
|
||||
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-1',parameters('scope')))]",
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-2',parameters('scope')))]"
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-3',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -117,6 +127,21 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
|
||||
"scope": "[parameters('platformScope')]",
|
||||
"dependsOn": [
|
||||
"[variables('policyAssignmentNames').vmHybridMonitoring]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@
|
|||
"description": "Enable processes and dependencies for the VMs"
|
||||
}
|
||||
},
|
||||
"scopeToSupportedImages":{
|
||||
"scopeToSupportedImages": {
|
||||
"type": "bool",
|
||||
"defaultValue": false,
|
||||
"metadata": {
|
||||
|
|
@ -66,6 +66,14 @@
|
|||
"displayName": "Scope",
|
||||
"description": "Scope of the policy assignment"
|
||||
}
|
||||
},
|
||||
"platformScope": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Platform Scope",
|
||||
"description": "Scope of the reader role assignment"
|
||||
},
|
||||
"defaultValue": "[parameters('scope')]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
|
@ -86,11 +94,13 @@
|
|||
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
|
||||
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
|
||||
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
|
||||
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,parameters('scope')))]",
|
||||
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-3',parameters('scope')))]",
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-4',parameters('scope')))]"
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-4',parameters('scope')))]",
|
||||
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring,'-5',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -185,8 +195,22 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
|
||||
"scope": "[parameters('platformScope')]",
|
||||
"dependsOn": [
|
||||
"[variables('policyAssignmentNames').vmMonitoring]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
}
|
||||
|
||||
|
|
@ -41,7 +41,7 @@
|
|||
"description": "Enable processes and dependencies for the VMs"
|
||||
}
|
||||
},
|
||||
"scopeToSupportedImages":{
|
||||
"scopeToSupportedImages": {
|
||||
"type": "bool",
|
||||
"defaultValue": false,
|
||||
"metadata": {
|
||||
|
|
@ -66,6 +66,14 @@
|
|||
"displayName": "Scope",
|
||||
"description": "Scope of the policy assignment"
|
||||
}
|
||||
},
|
||||
"platformScope": {
|
||||
"type": "String",
|
||||
"metadata": {
|
||||
"displayName": "Platform Scope",
|
||||
"description": "Scope of the reader role assignment"
|
||||
},
|
||||
"defaultValue": "[parameters('scope')]"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
|
@ -86,11 +94,13 @@
|
|||
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
|
||||
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
|
||||
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
|
||||
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-1',parameters('scope')))]",
|
||||
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-3',parameters('scope')))]",
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-4',parameters('scope')))]"
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-4',parameters('scope')))]",
|
||||
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssMonitoring,'-5',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -185,6 +195,21 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
|
||||
"scope": "[parameters('platformScope')]",
|
||||
"dependsOn": [
|
||||
"[variables('policyAssignmentNames').vmssMonitoring]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
|
|
@ -85,9 +85,11 @@
|
|||
},
|
||||
"rbacVmContributor": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
|
||||
"rbacConnectedMachineResourceAdministrator": "cd570a14-e51a-42ad-bac8-bafd67325302",
|
||||
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
|
||||
"roleAssignmentNames": {
|
||||
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-1',parameters('scope')))]",
|
||||
"roleAssignmentNameConnectedMachineResourceAdministrator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-2',parameters('scope')))]"
|
||||
"roleAssignmentNameConnectedMachineResourceAdministrator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-2',parameters('scope')))]",
|
||||
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmCheckUpdates,'-3',parameters('scope')))]"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
@ -138,7 +140,7 @@
|
|||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
{
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameConnectedMachineResourceAdministrator]",
|
||||
|
|
@ -150,6 +152,19 @@
|
|||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacConnectedMachineResourceAdministrator'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"type": "Microsoft.Authorization/roleAssignments",
|
||||
"apiVersion": "2022-04-01",
|
||||
"name": "[variables('roleAssignmentNames').roleAssignmentNameManagedIdentityOperator]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Authorization/policyAssignments', variables('policyAssignmentNames').vmCheckUpdates)]"
|
||||
],
|
||||
"properties": {
|
||||
"principalType": "ServicePrincipal",
|
||||
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
|
||||
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmCheckUpdates), '2019-09-01', 'Full' ).identity.principalId)]"
|
||||
}
|
||||
}
|
||||
],
|
||||
"outputs": {}
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче