How can I add roles to a resource group in bicep format?

Question

param rg_la_dev_eastus_name string = 'rg-la-dev-eastus-001'
param rg_la_prod_eastus_name string = 'rg-la-prod-eastus-001'

targetScope = 'subscription'

resource rgLaDev 'Microsoft.Resources/resourceGroups@2020-06-01' = {
  name: rg_la_dev_eastus_name
  location: 'eastus'
}

resource rgLaProd 'Microsoft.Resources/resourceGroups@2020-06-01' = {
  name: rg_la_prod_eastus_name
  location: 'eastus'
}

I can create a resource group, but I want to assign a role from here. I don´t want to do it graphicaly every time.

Answer 1

Just adding to @allen-wu response - Bare in mind, that you cannot use this resource in module with targetScope = 'subscription'. You need to use this in a module that targets the resourceGroup you want to assign permissions to.

So you need to have 3 files - one is where you create the resource groups, second is where you put the roleAssignments resource. Then, from the first one call the module(s):

module rgLaDevPermissions 'devPermissions.bicep' = {
  name: '${deployment().name}-${rgLaDev.name}-permissions'
  scope: rgLaDev
}

module rgLaProdPermissions 'prodPermissions.bicep' = {
  name: '${deployment().name}-${rgLaProd.name}-permissions'
  scope: rgLaProd
}

You can of course use module parameters to have single module file if the structure of roleAssignments will be this same and differ only in who is assigned to.

For more info see here: https://github.com/Azure/bicep/issues/1388

Answer 2

Use this script to assign the RBAC role using Bicep:

resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: 'string'
  scope: 'string'
  properties: {
    roleDefinitionId: 'string'
    principalId: 'string'
    principalType: 'string'
    canDelegate: bool
    description: 'string'
    condition: 'string'
    conditionVersion: 'string'
  }
}

Reference here.