-1

i would like to do this steps App Configuration -> Access control (IAM) -> Add role assigment -> App Configuration Data Reader -> Assign access to Managed identity -> Select Members (choose my app service) -> Save but instead of using Azure Portal for that, I wanted to use ARM/Bicep template, I tried something like this:

targetScope = 'resourceGroup'

param principalId string = 'x-x-x-x-x-x-x-x-x'
param roleDefinitionId string = 'x-x-x-x-x-x'

var roleAssignmentName = guid('/', principalId, roleDefinitionId)

resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-03-01-preview' = {
  name: roleAssignmentName
  properties: {
    roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions', roleDefinitionId)
    principalId: principalId
  }
}

But there are 2 problems with this solutions. Firstly, I am using this targetScope = resourceGroup which creates this Role inside RG, and then my App Confiugration just inherit it from RG. Probably, the proper solution would be to provide App Configuration name somewhere, so it would be used instead of scoping it to Resource Group.

Also, hard-coding principalId and roleDefinitionId like this feels pretty bad, but f.e I can't access principalID of my Web App by doing something like this:

resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
  name: 'myUniqueWebAppName'
}
param principalId string = webApp.identity.principalId

as it says that This symbol cannot be referenced here. Only other parameters can be referenced in parameter default values. Also, I don't know how to access roleDefinitionId, I know where to find it in Azure Portal, but no idea how to access it without hard-coding.

Thomas
  • 24,234
  • 6
  • 81
  • 125
user346206
  • 165
  • 10

1 Answers1

1

Few things :

  • You can specify the scope fo the roleAssignment using the scope property.
  • Role Id won't change so hardcoding roleId is not really an issue, you could alway pass it as a parameter as well.
  • If you create a module to do the role assignment, you would be able to inject the webapp principalId

you can create a module like that:

// app-configuration-role-assignment.bicep

param appConfigurationName string
param principalId string
param roleId string

// Get a reference to app config
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2022-05-01' existing = {
  name: appConfigurationName
}

// Grant permission
resource appConfigurationRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(appConfiguration.id, roleId, principalId)
  scope: appConfiguration
  properties: {
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleId)
    principalId: principalId
  }
}

Then from your main you could invoke it and pass the webapp principalId:

// main.bicep

param appConfigurationName string
param webAppName string

// get a reference to webapp
resource webApp 'Microsoft.Web/sites@2022-03-01' existing = {
  name: webAppName
}

module roleAssignment 'app-configuration-role-assignment.bicep' = {
  name: 'app-configuration-role-assignment-to-webapp'
  scope: resourceGroup()
  params: {
    appConfigurationName: appConfigurationName
    principalId: webApp.identity.principalId
    roleId: '516239f1-63e1-4d78-a4de-a74fb236a071' // App Configuration Data Reader
  }
}
Thomas
  • 24,234
  • 6
  • 81
  • 125
  • Awesome, it did work! Thank you. One question though, why do we provide `scope: resourceGroup()` in the `main.bicep` file? – user346206 Sep 08 '22 at 10:47
  • 1
    When you invoke a module from your main it creates a new deployment. Somehow you would need to define the scope of this inner deployment, could be the same resource goup or another one. Depends where are the resources located – Thomas Sep 08 '22 at 10:56