How to check multiple conditions in ARM Template variables/parameters
I need to modify an ARM template in a way that the user will have 3 options to select for a parameter during the deployment, each one for a specific Azure RBAC built-in role (Owner, Contributor or Reader). Then I need to correlate each role to the respective role ID, that are unique in Azure. I want to avoid the user having to select from the roleID´s, as they are obviously not descritive, but the assignment in this case must be done by the roleID, just the name of the role definition is not sufficient to make the assignment directly.
The template below was simplified with just the logic that I need to implement, however it´s checking just one value for the parameter (Contributor). So I need to do same but for the 3 different values. If it was just 2 possible values I could change the "json('null')" to the other RoleID, but with 3 values it gets more complex.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"exampleParameter": {
"defaultValue": "Contributor",
"allowedValues": [
"Contributor",
"Owner",
"Reader"
],
"type": "String",
"metadata": {
"description": "Test parameter"
}
}
},
"variables": {
"exampleVariable": "[if(equals(parameters('exampleParameter'), 'Contributor'), 'ContributorRoleID', json('null'))]"
},
"resources": [],
"outputs": {
"exampleOutput": {
"type": "String",
"value": "[variables('exampleVariable')]"
}
}
}
I´ve got some references from this question, but I really didnt´t únderstand the example in the end, as even though it uses the OR condition, I didn´t noticed how to pass the value for true and false evaluation, as in the example above with a single value. Then I have tried different ways to adjust it for my needs, but I really couldn´t find a way of solving that as I couldn´t find any valid sintaxe to use this same logic with multiple values.
I apologize for creating a new topic for that, but I couldn´t make a comment in the original question.
Note: if there any other solution to achieve the same result, please feel free to suggest. My question is about the conditions in variables/parameters because it´s the only way that I could imagine to make this association, but I am not an expert in ARM templates, maybe there is another simple solution for my use case.
I appreciate if someone can help me. Thanks!
I need to correlate each role to the respective role ID, that are unique in Azure.
It is not possible to directly assign an (Role-Based Access Control) role to a specific resource in an ARM template. Azure RBAC roles can only be assigned at the management group, subscription, or resource group level, and not directly to individual resources like virtual networks.
To assign role to a specific resource you need to use Azure Policy, Azure Policy allows you to configure like RBAC role assignments on resources.
Create a resource that shouldn't have any RBAC role assigned directly.
Create an Azure Policy definition to assign the RBAC role assignment based on the selected role name and Role ID.
{
"properties": {
"displayName": "Enforce RBAC Role Assignment",
"description": "Enforce RBAC role assignment based on the selected role name.",
"mode": "Indexed",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleAssignments"
},
{
"field": "Microsoft.Authorization/roleAssignments/principalId",
"equals": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]"
}
]
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Authorization/roleAssignments",
"roleDefinitionId": "[variables('selectedRoleID')]",
"principalId": "[field('Microsoft.Network/virtualNetworks/identity/principalId')]",
"scope": "[field('Microsoft.Network/virtualNetworks/id')]"
}
}
},
"parameters": {}
}
}
Below is the template to handle the correlation between the role names and their respective Role IDs.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"exampleParameter": {
"defaultValue": "Contributor",
"allowedValues": ["Contributor", "Owner", "Reader"],
"type": "String",
"metadata": {
"description": "Select the role for the deployment."
}
}
},
"variables": {
"roleMappings": {
"Contributor": "b24988ac-6180-4783-ad44-20f7382dd24c", // Duplicate Contributor Role ID
"Owner": "8s7hf657-a8ff-443c-a75c-2fe8c4cjve635", // Duplicate Owner Role ID
"Reader": "acvg80a7-3385-48ef-bd02-f685gda81ae7" // Duplicate Reader Role ID
},
"selectedRoleID": "[variables('roleMappings')[parameters('exampleParameter')]]"
},
"resources": [],
"outputs": {
"exampleOutput": {
"type": "String",
"value": "[variables('selectedRoleID')]"
}
}
}
Parameters as per the requirement.
- During the deployment the user can select the role name (Owner, Contributor, or Reader).
You need to use an Azure Policy definition with Azure Policy's built-in policy rule types, specifically "Role-Based Access Control (RBAC) Role Assignment" policies.
- No quotes in MongoDB JSON
- How can I parse (read) and use JSON in Python?
- How to access multidimensional data from a json file?
- How to remove return to line in a list in a JSON file?
- Shouldn't JSON.parse(null) and JSON.parse(false) throw exceptions?
- SpringBoot RestTemplate ignores spring.jackson.serialization.WRITE_DATES_AS_TIMESTAMPS = false
- Why and when do we need to flatten JSON objects?
- Get single field from JSON using Jackson
- Paging Through Records Using jQuery
- Json_decode display field start chronological order
- MongoDB, Convert a string with commas to double in $convert(aggregation). Failed to parse number '1,533.07'
- Change Existing JSON value "JSON_MODIFY" must be a string literal
- How can I use a linear-gradient in a VS Code theme?
- which is the best way to convert json into a dataframe?
- How to use @Serializer on deeper JSON datastructures
- JOLT Transformation: How to Conditionally Merge Two Fields and Retain Other Attributes?
- Nasa API pass the data so slow
- Adding transform in vega-lite hides the data
- Get JSON representation of request body as a string
- How to loop through the values of the dictionaries which are nested as values in a json file?
- Querying nested JSON files in Powershell
- How to convert selected HTML to Json?
- Is polymorphic deserialization possible in System.Text.Json?
- Parsing multiple JSON objects in Go
- functionTimeout not working in local.settings.json Azure Function in my local machine
- How do you JSON.stringify an ES6 Map?
- RestClientException: Could not extract response. no suitable HttpMessageConverter found
- Json_Annotation does not handle nested classes properly
- Can I specify a path in an attribute to map a property in my class to a child property in my JSON?
- How do I use a custom Serializer with Jackson?