Deploying Rbac to Management via bicep.

[pattisanta]

Hi,
I am hoping someone can help me.
The error I am getting
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"InvalidRoleDefinitionId","message":"The role definition ID 'Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' is not valid."}]}
Here is a snippet of my bicep file.

targetScope = 'managementGroup'

param principalId string = 'e318f1ae-0574-44e4-b9b2-8d8e855441a00'
param roleDefinitinGuid string = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
  name: roleDefinitinGuid
}
var ownerroleAssignGuid = guid(principalId,roleDef.id)


resource roleassignment 'Microsoft.Authorization/roleAssignments@2018-01-01-preview' = {
  name: ownerroleAssignGuid
  properties: {
    principalId: principalId
    roleDefinitionId: roleDef.id
  }
}

I have been able to deploy to RG,sub, and resources, with the same bicep file the only thing that i have done different is to change the targetscope

Thank you,
Patti

[majastrz]

This could be caused by a bug in Bicep. Can you tell me what the roleDefinitionId property is set to in the JSON we produced? I'm guessing it's an expression that evaluates to Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635 instead of a fully qualified resource ID.

[pattisanta]

"roleDefinitionId": "[format('Microsoft.Authorization/roleDefinitions/{0}', parameters('roleDefinitinGuid'))]"

[alex-frankel]

roleDefinitions are weird. I think they are technically stored at a subscription scope and duplicated for all subs. Are you able to pass in a subscriptionId as a param? You won't be able to retrieve it dynamically because you are in an MG context.

Something like this should work:

resource roleDef 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' existing = {
  scope: subscription('<SUBID>')
  name: roleDefinitinGuid
}

[pattisanta]

Hi Alex, Yes. I can deploy rbac to subscription without an issue. I really wanted to deploy the RBAC Roles and principal id at management group level will hold a number subscriptions . So I don’t have to keep redeploying the same rbac configuration across the subscription. Patti From: Alex Frankel ***@***.***> Sent: Friday, July 9, 2021 2:30 PM To: Azure/bicep ***@***.***> Cc: Santacroce, Patti ***@***.***>; Author ***@***.***> Subject: Re: [Azure/bicep] Deploying Rbac to Management via bicep. (#3544) roleDefinitions are weird. I think they are technically stored at a subscription scope and duplicated for all subs. Are you able to pass in a subscriptionId as a param? You won't be able to retrieve it dynamically because you are in an MG context. Something like this should work: resource roleDef ***@***.***' existing = { scope: subscription('<SUBID>') name: roleDefinitinGuid } — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#3544 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AECGXAFTYLCC27EXGHTZPXTTW454BANCNFSM5ADFGSUA>. [External Email: This message has originated from an external source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email.] ​

[pattisanta]

Hi Alex,
Yes. I can deploy rbac to subscription without an issue. I really wanted to deploy the RBAC Roles and principal id at management group level will hold a number subscriptions . So I don’t have to keep redeploying the same rbac configuration across the subscription.

Patti

[StefanIvemo]

You need to adjust your template to be able to assign roles to a management group. The error message you get :[{"code":"InvalidRoleDefinitionId","message":"The role definition ID 'Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635' is not valid."}] gives us a couple of clues to the issue.

If you look at your template and how you get the Role Definition ID using the existing function, the resourceId returned from roleDef.id differs depending on the scope where you perform the deployment. If you have a template that looks like this and deploy it to a resource group.

targetScope = 'resourceGroup'

param roleDefinitinGuid string = '8e3af657-a8ff-443c-a75c-2fe8c4bcb635'

resource roleDef 'Microsoft.Authorization/roleDefinitions@2021-04-01-preview' existing = {
  name: roleDefinitinGuid
}

output roleDefId string = roleDef.id

The role definition Id will be returned in the following format:

/subscriptions/<subscriptionID>/resourceGroups/<ResourceGroup>/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635

If you use the same template and deploy it to a subscription you will get another type of resourceId:
/subscriptions/<subscriptionId>/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635

Different format but still a valid Role Definition Id to pass as input to your role assignment.

If you change the targetScope to managementGroup and deploy the template to a managementGroup you will get the following output:
Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635

And this is why your deployment fails. When assigning roles to a management group the roleDefinitionId should be in the format /providers/Microsoft.Authorization/RoleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635 not Microsoft.Authorization/RoleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635.

You need to adjust your template by either changing the roleDefinitionId property to:

resource roleassignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = {
  name: ownerroleAssignGuid
  properties: {
    principalId: principalId
    roleDefinitionId: '/providers/${roleDef.id}'
  }
}

Or if you want to have one template that works for all scopes and just alter the targetScope:

resource roleassignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = {
  name: ownerroleAssignGuid
  properties: {
    principalId: principalId
    roleDefinitionId: startsWith(roleDef.id, 'Microsoft.Authorization') ? '/providers/${roleDef.id}' : roleDef.id
  }
}

[pattisanta]

Stefan,
I used esource roleassignment 'Microsoft.Authorization/roleAssignments@2021-04-01-preview' = {
name: ownerroleAssignGuid
properties: {
principalId: principalId
roleDefinitionId: '/providers/${roleDef.id}'
}
}
It worked perfectly. I can't thank you enough for your help.

[StefanIvemo]

@alex-frankel this fix should not be needed, right? I can't think of any use case were I would want the format Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635 on the Role Definintion resource id. the API should be changed to return the Role Definintion id in the /providers/Microsoft.Authorization/RoleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635 format.

[HariRajan2014]

I can confirm that it is still the case and I have appended 'providers' string as as you suggested. I did an output of role definition id as part of role creation. I was expecting an output like this "Microsoft.Authorization/roleAssignments/48ae7d9f-4385-58fe-8163-6ea09b1a0619" whereas it returned as like below which is bit lengthy. However your solution is working fine. thank you

outputResources": [
      {
        "id": "/providers/Microsoft.Management/managementGroups/mytestmg/providers/Microsoft.Authorization/roleAssignments/48ae7d9f-4385-58fe-8163-6ea09b1a0619"
      },