我正在尝试创建一个 arm 模板,该模板将 RBAC 角色分配给管理组级别的组。我可以通过 CLI 和 PowerShell 执行此操作,但无法通过 ARM 模板使其工作
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"roleDefinitionId": {
"type": "string",
"defaultValue": "xxxx",
"metadata": {
"description": "roleDefinition for the assignment - default is reader"
}
}
},
"variables": {
"roleAssignmentName": "[guid('/', variables('xxx'), parameters('roleDefinitionId'))]"
},
"resources": [
{
"name": "[variables('roleAssignmentName')]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"scope": "/providers/Microsoft.Management/managementGroups/xxxx",
"properties": {
"mode": "Incremental",
"roleDefinitionId": "xxx",
"principalId": "xxxx",
"principalType": "Group"
}
}
]
}
有谁知道是否支持 MGMT Groups,如果支持,我做错了什么?
这是 ARM 角色分配 https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template 的官方文档,它显示为 Subs 和 Resources Groups 执行此操作
答案 0 :(得分:0)
从您的资源定义中删除范围属性...
TLDR; roleAssignments 只能在它们被分配到的范围内部署,因此该属性是无关紧要的。此外,范围属性不适用于 managementGroup 扩展资源(我知道令人困惑),这只是一个时间点。 scope 属性通常用于将资源定位到不同的作用域(即不同于模板部署本身),但由于 roleAssignments 无法重新定位,因此您不需要它,在这种情况下它会给您带来问题。
这是我的示例(注意我没有 principalType 属性,所以它使用默认值):
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"principalId": {
"type": "string",
"metadata": {
"description": "principalId if the user that will be given contributor access to the resourceGroup"
}
},
"roleDefinitionId": {
"type": "string",
"defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"metadata": {
"description": "roleDefinition for the assignment - default is contributor"
}
},
"managementGroupName": {
"type": "string",
"metadata": {
"description": "Name of the managementGroup for the roleAssignment"
}
}
},
"variables": {
// this creates an idempotent GUID for the role assignment
"roleAssignmentName": "[guid(parameters('managementGroupName'), parameters('principalId'), parameters('roleDefinitionId'))]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2020-04-01-preview",
"name": "[variables('roleAssignmentName')]",
"properties": {
"roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
"principalId": "[parameters('principalId')]"
}
}
]
}