I have got a bicep module which does the following
- creates user managed identities
- creates a key vault
- create a key in the vault in step 2
- creates a sql server
- configures the sql server to use a customer managed key using a key created
The first issue at the moment is that I have a module that assigns rbac roles, but this doesn't work for key vault.
kvRBAC.bicep
param serverName string
param keyVaultName string
param sqlServerIdentity string
resource keyVaultCryptoUser 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
name: 'Key Vault Crypto User'
}
resource cryptoKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = {
name: keyVaultName
}
// Assign new SQL Managed Identity the KV Crypto User role to the designated Key Vault.
resource sqlServerKeyVaultRBAC 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(serverName, cryptoKeyVault.id, keyVaultCryptoUser.id)
scope: cryptoKeyVault
properties: {
principalType: 'ServicePrincipal'
principalId: sqlServerIdentity
roleDefinitionId: resourceId('Microsoft.Authorization/roleAssignments', '12338af0-0e69-4776-bea7-57ae8d297424')
}
}
From main.bicep
module sqlServerKeyVaultRBAC2 './modules/kvRBAC.bicep' = {
name: 'SetKeyVaultRBAC2'
scope: resourceGroup(keyvault.keyVaultRG)
params: {
serverName: sql.serverName
keyVaultName: keyvault.keyVaultName
sqlServerIdentity: identityIDs[0].properties.principalId
}
}
I get the error
"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"RoleAssignmentUpdateNotPermitted","message":"Tenant ID, application ID, principal ID, and scope are not allowed to be updated."}]}]}]}]}]}}
the issue is that if I manually assign permissions from the portal, it works fine. I do want it all done via code, the issue is getting the principal ID in a way that is acceptable for bicep, the principal ID is also generated in code dynamically when ran for the first time.
The other issue is that I am not sure that a principal Id is being sent to the module as the ID is part of the identityIDs array, so running something like identityIDs[0].properties.principalId, bicep doesnt like this being passed to a module and I have no way of verifying that the principal ID is actually being returned in the first place.
trying to run var x = identityIDs[0].properties.principalId and passing x to the module hasn't worked either.
The second problem is with the creation of managed identities and trying to get the ID & principal ID back from the user managed identities.
create_mi.bicep
param managedIdentities array param location string param tagging object
resource create_managed_identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = [ for name in managedIdentities: {
name: name
location: location
tags: tagging.tags
} ]
Passing an array to it
"mi_resources": [
"mi-01",
"mi-02",
"mi-03",
"mi-04"
]
Getting the ID/principal ID of the managed identities
resource identityIDs 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = [for item in managedIdentities.mi_resources:{
name: item
}
]
Referring to the principal ID's like this. identityIDs[0].properties.principalId
Just doesn't like it.