Improved custom role creation using Bicep

rolyon · rolyon · commit 14e91afaad70 · 2024-02-14T16:24:54.000-08:00
diff --git a/articles/role-based-access-control/custom-roles-bicep.md b/articles/role-based-access-control/custom-roles-bicep.md
@@ -6,7 +6,7 @@ author: rolyon
 manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
-ms.date: 12/01/2023
+ms.date: 02/15/2024
 ms.author: rolyon
 ms.custom: devx-track-azurepowershell, devx-track-azurecli, devx-track-bicep
 #Customer intent: As an IT admin, I want to create custom and/or roles using Bicep so that I can start automating custom role processes.
@@ -37,7 +37,45 @@ The Bicep file used in this article is from [Azure Quickstart Templates](https:/
 
 The scope where this custom role can be assigned is set to the current subscription.
 
-:::code language="bicep" source="~/quickstart-templates/subscription-deployments/create-role-def/main.bicep":::
+A custom role requires a unique ID. The ID can be generated with the [guid()](../azure-resource-manager/bicep/bicep-functions-string.md#guid) function. Since a custom role also requires a [unique display name](custom-roles.md#custom-role-properties) for the tenant, you can use the role name as a parameter for the `guid()` function to create a [deterministic GUID](../azure-resource-manager/bicep/scenarios-rbac.md#name). A deterministic GUID is useful if you later need to update the custom role using the same Bicep file.
+
+```bicep
+targetScope = 'subscription'
+
+@description('Array of actions for the roleDefinition')
+param actions array = [
+  'Microsoft.Resources/subscriptions/resourceGroups/read'
+]
+
+@description('Array of notActions for the roleDefinition')
+param notActions array = []
+
+@description('Friendly name of the role definition')
+param roleName string = 'Custom Role - RG Reader'
+
+@description('Detailed description of the role definition')
+param roleDescription string = 'Subscription Level Deployment of a Role Definition'
+
+var roleDefId = guid(roleName)
+
+resource roleDef 'Microsoft.Authorization/roleDefinitions@2022-04-01' = {
+  name: roleDefId
+  properties: {
+    roleName: roleName
+    description: roleDescription
+    type: 'customRole'
+    permissions: [
+      {
+        actions: actions
+        notActions: notActions
+      }
+    ]
+    assignableScopes: [
+      subscription().id
+    ]
+  }
+}
+```
 
 The resource defined in the Bicep file is:
 
@@ -46,29 +84,39 @@ The resource defined in the Bicep file is:
 ## Deploy the Bicep file
 
 1. Save the Bicep file as **main.bicep** to your local computer.
-1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.
+
+1. Create a variable named **myActions** with the actions for the roleDefinition.
 
     # [CLI](#tab/CLI)
 
     ```azurecli-interactive
-    $myActions='("Microsoft.Resources/resources/read","Microsoft.Resources/subscriptions/resourceGroups/read")'
-
-    az deployment sub create --location eastus --name customRole --template-file main.bicep --parameters actions=$myActions
+    $myActions='["Microsoft.Resources/subscriptions/resourceGroups/read"]'
     ```
 
     # [PowerShell](#tab/PowerShell)
 
     ```azurepowershell-interactive
-    $myActions = @("Microsoft.Resources/resources/read","Microsoft.Resources/subscriptions/resourceGroups/read")
+    $myActions = @("Microsoft.Resources/subscriptions/resourceGroups/read")
+    ```
+
+    ---
+
+1. Deploy the Bicep file using either Azure CLI or Azure PowerShell.
+
+    # [CLI](#tab/CLI)
+
+    ```azurecli-interactive
+    az deployment sub create --location eastus --name customRole --template-file ./main.bicep --parameters actions=$myActions
+    ```
+
+    # [PowerShell](#tab/PowerShell)
 
+    ```azurepowershell-interactive
     New-AzSubscriptionDeployment -Location eastus -Name customRole -TemplateFile ./main.bicep -actions $myActions
     ```
 
     ---
 
-    > [!NOTE]
-    > Create a variable called **myActions** and then pass that variable. Replace the sample actions with the actions for the roleDefinition.
-
  When the deployment finishes, you should see a message indicating the deployment succeeded.
 
 ## Review deployed resources
@@ -91,53 +139,36 @@ Get-AzRoleDefinition "Custom Role - RG Reader"
 
 ## Update a custom role
 
-Similar to creating a custom role, you can update an existing custom role using Bicep. To update a custom role, you need to specify the role you want to update.
+Similar to creating a custom role, you can update an existing custom role using Bicep. To update a custom role, you need to specify the role you want to update. If you previously created the custom role in Bicep with a unique role ID that is [deterministic](../azure-resource-manager/bicep/scenarios-rbac.md#name), you can use the same Bicep file and specify the custom role by just using the display name.
 
-Here are the changes you would need to make to the previous Bicep file to update the custom role.
-
-1. Include the role ID as a parameter.
-
-    ```bicep
-    ...
-    @description('ID of the role definition')
-    param roleDefName string
-    ...
-
-    ```
-
-2. Remove the roleDefName variable. You'll get a warning if you have a parameter and variable with the same name.
-3. Use Azure CLI or Azure PowerShell to get the roleDefName.
+1. Specify the updated actions.
 
     # [CLI](#tab/CLI)
 
     ```azurecli-interactive
-    az role definition list --name "Custom Role - RG Reader"
+    $myActions='["Microsoft.Resources/resources/read","Microsoft.Resources/subscriptions/resourceGroups/read"]'
     ```
 
     # [PowerShell](#tab/PowerShell)
 
     ```azurepowershell-interactive
-    Get-AzRoleDefinition -Name "Custom Role - RG Reader"
+    $myActions = @(""Microsoft.Resources/resources/read","Microsoft.Resources/subscriptions/resourceGroups/read"")
     ```
 
----
+    ---
 
-4. Use Azure CLI or Azure PowerShell to deploy the updated Bicep file, replacing **\<name-id\>** with the roleDefName, and replacing the sample actions with the updated actions for the roleDefinition.
+1. Use Azure CLI or Azure PowerShell to update roleDefinition.
 
     # [CLI](#tab/CLI)
 
     ```azurecli-interactive
-    $myActions='("Microsoft.Resources/resources/read","Microsoft.Resources/subscriptions/resourceGroups/read")'
-
-    az deployment sub create --location eastus --name customrole --template-file main.bicep --parameters actions=$myActions roleDefName="name-id" roleName="Custom Role - RG Reader"
+    az deployment sub create --location eastus --name customrole --template-file ./main.bicep --parameters actions=$myActions roleName="Custom Role - RG Reader"
     ```
 
     # [PowerShell](#tab/PowerShell)
 
     ```azurepowershell-interactive
-    $myActions = @(""Microsoft.Resources/resources/read","Microsoft.Resources/subscriptions/resourceGroups/read"")
-
-    New-AzSubscriptionDeployment -Location eastus -Name customrole -TemplateFile ./main.bicep -actions $myActions -roleDefName "name-id" -roleName "Custom Role - RG Reader"
+    New-AzSubscriptionDeployment -Location eastus -Name customrole -TemplateFile ./main.bicep -actions $myActions -roleName "Custom Role - RG Reader"
     ```
 
     ---
@@ -167,3 +198,4 @@ Remove-AzRoleDefinition -Name "Custom Role - RG Reader"
 
 - [Understand Azure role definitions](role-definitions.md)
 - [Bicep documentation](../azure-resource-manager/bicep/overview.md)
+- [Create a new role def via a subscription level deployment](https://github.com/Azure/azure-quickstart-templates/tree/master/subscription-deployments/create-role-def)
