Reputation: 13840
What's the resource group equivalent of subscriptionResourceId and managementGroupResourceId in Bicep?
In Bicep, I can use subscriptionResourceId() or managementGroupResourceId() to refer to a resource at the subscription or management group level, respectively.
In the following code, I'm using subscriptionResourceId() to create a (RBAC) role assignment at the subscription level for a system-assigned managed identity and an Azure Key Vault:
resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(
subscription().id,
subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
)
scope: keyVault
properties: {
principalId: appServiceApp.identity.principalId
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'4633458b-17de-408a-b874-0445c86b69e6'
)
}
}
How would I get the resource's resource group ID? The resourceId() function depends on the scope of the deployment, and so is ambiguous
Upvotes: 0
Views: 317
Answers (2)
Reputation: 111
If you're operating within the scope of your resource, then you can just use resourceGroup().id to get the resource's resource group ID right?
Upvotes: 1
Reputation: 7669
How would I get the resource's resource group ID?
Here is the updated code to fetch the resourcegroup ID from a resource (app service) and assign a role to the app service identity at the resource group level.
resource appService 'Microsoft.Web/sites@2020-06-01' existing = {
name: 'samplevksb'
}
// Extract the resource group name from the Key Vault resource ID
var appserviceResourceGroupName = split(appService.id, '/')[4]
// Construct the resource group ID
var appserviceResourceGroupId = subscriptionResourceId('Microsoft.Resources/resourceGroups', appserviceResourceGroupName)
// Output the resource group ID of the Key Vault
output appserviceResourceGroupIdOutput string = appserviceResourceGroupId
resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(
appserviceResourceGroupId,
subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
)
scope: resourceGroup()
properties: {
principalId: '83-4afa99ea1946'
roleDefinitionId: subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'4633458b-17de-408a-b874-0445c86b69e6'
)
}
}
Output:
After running the code, the role assignment has been assigned at the resource group level for the system-assigned managed identity.
Upvotes: 1
Related Questions
- Azure Bicep - Referencing a variable that cannot be calculated at the start
- My Az cli what-if for a bicep deployment at Management scope is not showing the change at the nested management group
- Azure Bicep - Cross resource group reference using Scope
- How to assign Azure AD PIM to a custom RBAC role using BICEP
- Azure Bicep roleAssignments not found
- When referencing a Managed Identity from a bicep module the identity cannot be found (resource group is passed as <null>)
- Update DNS Zone in different resource group using BICEP
- Bicep role assignment to storage account in different resource group
- How to assign custom role to the application in Bicep
- Azure: get user email by principal id