Skip to content

feat: implement deployer-based role assignments in main.bicep and role.bicep #399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

feat: implement deployer-based role assignments in main.bicep and role.bicep #399

wants to merge 3 commits into from

Conversation

@UtkarshMishra-Microsoft
Copy link
Contributor

@UtkarshMishra-Microsoft UtkarshMishra-Microsoft commented Aug 26, 2025
edited
Loading

Purpose

Added use of deployer() function
to capture the identity of the user running the deployment.

Introduced variables deployerInfo, deployingUserPrincipalId, and enableUserRoleAssignment in main.bicep.

Extended role.bicep to assign roles to the deployer on Azure OpenAI (Cognitive Services) accounts — covering both newly created and existing resources.

Updated Cosmos DB role assignments to include both the container app’s system-assigned MI and the deployer identity.

Added a configurable parameter principalType (User, ServicePrincipal, Group, etc.) instead of hard-coded ServicePrincipal.

Added outputs (deployerInfo, userRoleAssignmentStatus) for visibility of assigned roles and deployment status.

Why These Changes

Automation: Removes the need for manual az role assignment steps after deployment.

Flexibility: Works for different identity types (User, ServicePrincipal, Group).

Consistency: Ensures deployer gets the required access for both new and existing OpenAI/Cosmos DB resources.

Transparency: Clear outputs confirm who received access and whether assignment logic executed.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

@Roopan-Microsoft Roopan-Microsoft deleted the Newbicep branch September 24, 2025 05:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@marktayl1 marktayl1 Awaiting requested review from marktayl1 marktayl1 is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@UtkarshMishra-Microsoft @Roopan-Microsoft