管理组级别角色分配的 ARM 模板

时间:2021-02-04 18:42:14

标签: azure azure-resource-manager arm-template rbac

我正在尝试创建一个 arm 模板,该模板将 RBAC 角色分配给管理组级别的组。我可以通过 CLI 和 PowerShell 执行此操作,但无法通过 ARM 模板使其工作

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "roleDefinitionId": {
            "type": "string",
            "defaultValue": "xxxx",
            "metadata": {
                "description": "roleDefinition for the assignment - default is reader"
            }
        }
    },
    "variables": {
        "roleAssignmentName": "[guid('/', variables('xxx'), parameters('roleDefinitionId'))]"
    },
    "resources": [
        {
            "name": "[variables('roleAssignmentName')]",
            "type": "Microsoft.Authorization/roleAssignments",
            "apiVersion": "2020-04-01-preview",
            "scope": "/providers/Microsoft.Management/managementGroups/xxxx",
            "properties": {
                "mode": "Incremental",
                "roleDefinitionId": "xxx",
                "principalId": "xxxx",
                "principalType": "Group"
            }
        }
    ]
}

有谁知道是否支持 MGMT Groups,如果支持,我做错了什么?

这是 ARM 角色分配 https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template 的官方文档,它显示为 Subs 和 Resources Groups 执行此操作

1 个答案:

答案 0 :(得分:0)

从您的资源定义中删除范围属性...

TLDR; roleAssignments 只能在它们被分配到的范围内部署,因此该属性是无关紧要的。此外,范围属性不适用于 managementGroup 扩展资源(我知道令人困惑),这只是一个时间点。 scope 属性通常用于将资源定位到不同的作用域(即不同于模板部署本身),但由于 roleAssignments 无法重新定位,因此您不需要它,在这种情况下它会给您带来问题。

这是我的示例(注意我没有 principalType 属性,所以它使用默认值):

{
    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "principalId": {
        "type": "string",
        "metadata": {
          "description": "principalId if the user that will be given contributor access to the resourceGroup"
        }
      },
      "roleDefinitionId": {
        "type": "string",
        "defaultValue": "b24988ac-6180-42a0-ab88-20f7382dd24c",
        "metadata": {
          "description": "roleDefinition for the assignment - default is contributor"
        }
      },
      "managementGroupName": {
        "type": "string",
        "metadata": {
          "description": "Name of the managementGroup for the roleAssignment"
        }
      }
    },
    "variables": {
      // this creates an idempotent GUID for the role assignment
      "roleAssignmentName": "[guid(parameters('managementGroupName'), parameters('principalId'), parameters('roleDefinitionId'))]"
     },
    "resources": [
      {
        "type": "Microsoft.Authorization/roleAssignments",
        "apiVersion": "2020-04-01-preview",
        "name": "[variables('roleAssignmentName')]",
        "properties": {
          "roleDefinitionId": "[tenantResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",
          "principalId": "[parameters('principalId')]"
        }
      }
    ]
  }
相关问题
最新问题