Skip to content

💪🏻 Generate azure_roles.bicep #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rdeveen wants to merge 1 commit into
base: main
Choose a base branch
from
Open

💪🏻 Generate azure_roles.bicep #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,23 @@
# Azure Roles

There are a lot of role GUIDs to remember or lookup.
There are a lot of role GUIDs to remember or lookup.

Make it easier on yourself.

> [!IMPORTANT]
>
> The azure_roles.json is automatically evaluated daily for new roles and updated when new roles are discovered.
> The azure_roles.json/azure_roles.bicep is automatically evaluated daily for new roles and updated when new roles are discovered.

Simplify using Azure's built-in roles in Bicep and Terraform

**How to**

1. Copy the "azure_roles.json" file from this repo
1. Copy the "azure_roles.json" or "azure_roles.bicep" file from this repo
2. Make it available in your repo
3. Use the following example to leverage the JSON to make it easier when assigning Azure's built-in roles.
4. Lookup the role in the json, now you can use plain english in the bicep file to always know the role being assigned
4. Lookup the role in the json, now you can use plain english in the bicep file to always know the role being assigned
1. FYI, you can use Visual Studio Code's auto-complete feature when enumerating the azureRoles var instead of looking it up in the json.


## Example

### Bicep
Expand All @@ -34,6 +33,10 @@ param principalType string = 'User'
// Use Bicep's loadJsonContent to use Azure Roles JSON
var azureRoles = loadJsonContent('azure_roles.json')

// Or
// Use Bicep's Import to use Azure Roles Bicep file
import { azureRoles } from './azure_roles.bicep'

// Resources
// Role assignment
resource openAiRoleUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
Expand All @@ -59,7 +62,7 @@ data "azurerm_subscription" "primary" {

data "azurerm_client_config" "example" {
}

resource "azurerm_role_assignment" "example" {
scope = data.azurerm_subscription.primary.id
role_definition_id = local.azure_roles.CognitiveServicesOpenAIUser
Expand Down Expand Up @@ -95,9 +98,8 @@ You can always search through the JSON. Helpful if you are translating existing

## Updating Azure Roles JSON

New built-in roles are frequently added, to efficiently include these roles - there are two GitHub Actions. One is a manual execution and the other is a scheduled action that runs daily at midnight. The actions run the same PowerShell script, create-azurejson.ps1.
New built-in roles are frequently added, to efficiently include these roles - there are two GitHub Actions. One is a manual execution and the other is a scheduled action that runs daily at midnight. The actions run the same PowerShell script, create-azurejson.ps1.

The actions collect secrets from GitHub and save them as environment variables for the script to leverage for authenticating to Azure.

The script collects the latest roles and compares them with the current json. If new roles exist, then the json is committed to the repo with the number of new roles in the message.

Loading