reorganize rbac assignments to be cleaner

Author: jgbradley1

infra/core/ai-search/ai-search.bicep

@@ -7,10 +7,7 @@ param name string
 @description('The location of the Managed Cluster resource.')
 param location string = resourceGroup().location
 
-@description('Array of objects with fields principalId, principalType, roleDefinitionId')
-param roleAssignments array = []
-
-@allowed([ 'enabled', 'disabled' ])
+@allowed(['enabled', 'disabled'])
 param publicNetworkAccess string = 'enabled'
 
 resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
@@ -28,13 +25,5 @@ resource aiSearch 'Microsoft.Search/searchServices@2024-03-01-preview' = {
   }
 }
 
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
-  for role in roleAssignments: {
-    name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
-    scope: resourceGroup()
-    properties: role
-  }
-]
-
 output name string = aiSearch.name
 output id string = aiSearch.id

infra/core/monitor/app-insights.bicep

@@ -13,9 +13,6 @@ param appInsightsPublicNetworkAccessForIngestion string = 'Disabled'
 @description('Workspace id of a Log Analytics resource.')
 param logAnalyticsWorkspaceId string
 
-@description('Array of objects with fields principalId, principalType, roleDefinitionId')
-param roleAssignments array = []
-
 resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
   name: appInsightsName
   location: location
@@ -28,20 +25,6 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = {
   }
 }
 
-resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
-  for role in roleAssignments: {
-    name: guid(
-      subscription().subscriptionId,
-      resourceGroup().name,
-      role.principalId,
-      role.principalType,
-      role.roleDefinitionId
-    )
-    scope: resourceGroup()
-    properties: role
-  }
-]
-
 output id string = appInsights.id
 output connectionString string = appInsights.properties.ConnectionString
 output instrumentationKey string = appInsights.properties.InstrumentationKey

infra/core/storage/storage.bicep

@@ -7,18 +7,15 @@ param name string
 @description('The location of the Storage Account resource.')
 param location string = resourceGroup().location
 
-@allowed([ 'Hot', 'Cool', 'Premium' ])
+@allowed(['Hot', 'Cool', 'Premium'])
 param accessTier string = 'Hot'
 
-@allowed([ 'AzureDnsZone', 'Standard' ])
+@allowed(['AzureDnsZone', 'Standard'])
 param dnsEndpointType string = 'Standard'
 
-@allowed([ 'Enabled', 'Disabled' ])
+@allowed(['Enabled', 'Disabled'])
 param publicNetworkAccess string = 'Disabled'
 
-@description('Array of objects with fields principalId, principalType, roleDefinitionId')
-param roleAssignments array = []
-
 param tags object = {}
 param allowBlobPublicAccess bool = false
 param allowCrossTenantReplication bool = true
@@ -29,7 +26,6 @@ param kind string = 'StorageV2'
 param minimumTlsVersion string = 'TLS1_2'
 param containers array = []
 
-
 resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
   name: name
   location: location
@@ -68,14 +64,6 @@ resource storage 'Microsoft.Storage/storageAccounts@2023-01-01' = {
   }
 }
 
-resource storageRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
-  for role in roleAssignments: {
-    name: guid('${role.principalId}-${role.principalType}-${role.roleDefinitionId}')
-    scope: resourceGroup()
-    properties: role
-  }
-]
-
 output name string = storage.name
 output id string = storage.id
 output primaryEndpoints object = storage.properties.primaryEndpoints

infra/core/workload-rbac.bicep

@@ -0,0 +1,43 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+@description('ID of the service principal to assign the RBAC roles to.')
+param principalId string
+
+@description('Type of principal to assign the RBAC roles to.')
+@allowed(['ServicePrincipal', 'User', 'Group', 'Device', 'ForeignGroup'])
+param principalType string
+
+@description('Role definitions for various roles that will be assigned at deployment time. Learn more: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles')
+var roleDefinitions = [
+  {
+    id: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Storage Blob Data Contributor Role
+  }
+  {
+    id: 'b24988ac-6180-42a0-ab88-20f7382dd24c' // AI Search Contributor Role
+  }
+  {
+    id: '8ebe5a00-799e-43f5-93ac-243d3dce84a7' // AI Search Index Data Contributor Role
+  }
+  {
+    id: '1407120a-92aa-4202-b7e9-c0e197c71c8f' // AI Search Index Data Reader Role
+  }
+  {
+    id: 'a001fd3d-188f-4b5d-821b-7da978bf7442' // Cognitive Services OpenAI Contributor
+  }
+  {
+    id: '3913510d-42f4-4e42-8a64-420c390055eb' // Monitoring Metrics Publisher Role
+  }
+]
+
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
+  for roleDef in roleDefinitions: {
+    name: guid(subscription().subscriptionId, resourceGroup().name, principalId, principalType, roleDef.id)
+    scope: resourceGroup()
+    properties: {
+      principalId: principalId
+      principalType: principalType
+      roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roleDef.id)
+    }
+  }
+]

infra/main.bicep

@@ -72,22 +72,6 @@ var appUrl = 'http://${appHostname}'
 
 @description('Role definitions for various roles that will be assigned at deployment time. Learn more: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles')
 var roles = {
-  storageBlobDataContributor: resourceId(
-    'Microsoft.Authorization/roleDefinitions',
-    'ba92f5b4-2d11-453d-a403-e96b0029c9fe'
-  )
-  aiSearchContributor: resourceId(
-    'Microsoft.Authorization/roleDefinitions',
-    'b24988ac-6180-42a0-ab88-20f7382dd24c' // AI Search Contributor Role
-  )
-  aiSearchIndexDataContributor: resourceId(
-    'Microsoft.Authorization/roleDefinitions',
-    '8ebe5a00-799e-43f5-93ac-243d3dce84a7' // AI Search Index Data Contributor Role
-  )
-  aiSearchIndexDataReader: resourceId(
-    'Microsoft.Authorization/roleDefinitions',
-    '1407120a-92aa-4202-b7e9-c0e197c71c8f' // AI Search Index Data Reader Role
-  )
   privateDnsZoneContributor: resourceId(
     'Microsoft.Authorization/roleDefinitions',
     'b12aa53e-6015-4669-85d0-8515ebb3ae7f' // Private DNS Zone Contributor Role
@@ -96,10 +80,6 @@ var roles = {
     'Microsoft.Authorization/roleDefinitions',
     '4d97b98b-1d4f-4787-a291-c67834d212e7' // Network Contributor Role
   )
-  cognitiveServicesOpenaiContributor: resourceId(
-    'Microsoft.Authorization/roleDefinitions',
-    'a001fd3d-188f-4b5d-821b-7da978bf7442' // Cognitive Services OpenAI Contributor
-  )
   acrPull: resourceId(
     'Microsoft.Authorization/roleDefinitions',
     '7f951dda-4ed3-4680-a7ca-43fe172d538d' // ACR Pull Role
@@ -110,6 +90,14 @@ var roles = {
   )
 }
 
+module workloadIdentityRBACAssignments 'core/workload-rbac.bicep' = {
+  name: 'workload-rbac-assignments'
+  params: {
+    principalId: workloadIdentity.outputs.principalId
+    principalType: 'ServicePrincipal'
+  }
+}
+
 module log 'core/log-analytics/log.bicep' = {
   name: 'log-analytics-deployment'
   params: {
@@ -234,23 +222,23 @@ module aiSearch 'core/ai-search/ai-search.bicep' = {
     name: !empty(aiSearchName) ? aiSearchName : '${abbrs.searchSearchServices}${resourceBaseNameFinal}'
     location: location
     publicNetworkAccess: enablePrivateEndpoints ? 'disabled' : 'enabled'
-    roleAssignments: [
-      {
-        principalId: workloadIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionId: roles.aiSearchContributor
-      }
-      {
-        principalId: workloadIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionId: roles.aiSearchIndexDataContributor
-      }
-      {
-        principalId: workloadIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionId: roles.aiSearchIndexDataReader
-      }
-    ]
+    // roleAssignments: [
+    //   {
+    //     principalId: workloadIdentity.outputs.principalId
+    //     principalType: 'ServicePrincipal'
+    //     roleDefinitionId: roles.aiSearchContributor
+    //   }
+    //   {
+    //     principalId: workloadIdentity.outputs.principalId
+    //     principalType: 'ServicePrincipal'
+    //     roleDefinitionId: roles.aiSearchIndexDataContributor
+    //   }
+    //   {
+    //     principalId: workloadIdentity.outputs.principalId
+    //     principalType: 'ServicePrincipal'
+    //     roleDefinitionId: roles.aiSearchIndexDataReader
+    //   }
+    // ]
   }
 }
 
@@ -263,13 +251,13 @@ module storage 'core/storage/storage.bicep' = {
     location: location
     publicNetworkAccess: enablePrivateEndpoints ? 'Disabled' : 'Enabled'
     tags: tags
-    roleAssignments: [
-      {
-        principalId: workloadIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionId: roles.storageBlobDataContributor
-      }
-    ]
+    // roleAssignments: [
+    //   {
+    //     principalId: workloadIdentity.outputs.principalId
+    //     principalType: 'ServicePrincipal'
+    //     roleDefinitionId: roles.storageBlobDataContributor
+    //   }
+    // ]
     deleteRetentionPolicy: {
       enabled: true
       days: 5
@@ -285,13 +273,13 @@ module appInsights 'core/monitor/app-insights.bicep' = {
     location: location
     appInsightsPublicNetworkAccessForIngestion: enablePrivateEndpoints ? 'Disabled' : 'Enabled'
     logAnalyticsWorkspaceId: log.outputs.id
-    roleAssignments: [
-      {
-        principalId: workloadIdentity.outputs.principalId
-        principalType: 'ServicePrincipal'
-        roleDefinitionId: roles.monitoringMetricsPublisher
-      }
-    ]
+    // roleAssignments: [
+    //   {
+    //     principalId: workloadIdentity.outputs.principalId
+    //     principalType: 'ServicePrincipal'
+    //     roleDefinitionId: roles.monitoringMetricsPublisher
+    //   }
+    // ]
   }
 }