azMantas · November 5, 2021 18:05
diff --git a/main.bicep b/main.bicep
 targetScope = 'subscription'
 param storageAccountName string = 'biceprules'
 param utc string = utcNow()

 param storageRBAC object = {
  storageBlobContributors: {
    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe'
    principalId: [
      '07ec4702-a678-4ff6-bf61-4d58eac4fe83'
      'd3f05bbb-5c34-40f5-95c8-d306bc32c032'
      '45d3add6-d71f-4ec7-b969-1a27029aa733'
    ]
  }
  storageAccountContributors: {
    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab'
    principalId: [
      '90897a08-242f-4029-8e20-6e048cb1bdbe'
    ]
  }
  storageBlobReaders: {
    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
    principalId: [
      '1982359b-9114-46e9-94bb-4a59a4282426'
    ]
  }
 }

 resource resourceGroupResource 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: 'bicepRules'
  location: 'westeurope'
 }

 module storage 'storage.bicep' = {
  scope: resourceGroupResource
  name: '${storageAccountName}-${utc}'
  params: {
    storageAccountName: storageAccountName
  }
 }

 module rbac 'rbac.bicep' = [for rbac in items(storageRBAC): {
  name: '${rbac.key}-${utc}'
  scope: resourceGroupResource
  params:{
    storageAccountName: storage.outputs.storageAccountName
    principals: rbac.value.principalId
    roleId: rbac.value.roleDefinitionId
  }
 }]
diff --git a/rbac.bicep b/rbac.bicep
 param principals array
 param roleId string
 param storageAccountName string

 resource storageAccountResource 'Microsoft.Storage/storageAccounts@2021-06-01' existing = {
  name: storageAccountName
 }

 resource rbac 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = [for item in principals: {
  name: guid(item, roleId, storageAccountResource.id)
  scope: storageAccountResource
  properties:{
    principalId: item
    roleDefinitionId: roleId
  }
 }]
diff --git a/storage.bicep b/storage.bicep
 param storageAccountName string
 var suffix = take(uniqueString(resourceGroup().id),5)
 var stName = 'st${storageAccountName}${suffix}'

 resource storageaccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
  name: stName
  location: resourceGroup().location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
 }

 output storageAccountName string = storageaccount.name
	targetScope = 'subscription'
	param storageAccountName string = 'biceprules'
	param utc string = utcNow()

	param storageRBAC object = {
	storageBlobContributors: {
	roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe'
	principalId: [
	'07ec4702-a678-4ff6-bf61-4d58eac4fe83'
	'd3f05bbb-5c34-40f5-95c8-d306bc32c032'
	'45d3add6-d71f-4ec7-b969-1a27029aa733'
	]
	}
	storageAccountContributors: {
	roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab'
	principalId: [
	'90897a08-242f-4029-8e20-6e048cb1bdbe'
	]
	}
	storageBlobReaders: {
	roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/2a2b9908-6ea1-4ae2-8e65-a410df84e7d1'
	principalId: [
	'1982359b-9114-46e9-94bb-4a59a4282426'
	]
	}
	}

	resource resourceGroupResource 'Microsoft.Resources/resourceGroups@2021-04-01' = {
	name: 'bicepRules'
	location: 'westeurope'
	}

	module storage 'storage.bicep' = {
	scope: resourceGroupResource
	name: '${storageAccountName}-${utc}'
	params: {
	storageAccountName: storageAccountName
	}
	}

	module rbac 'rbac.bicep' = [for rbac in items(storageRBAC): {
	name: '${rbac.key}-${utc}'
	scope: resourceGroupResource
	params:{
	storageAccountName: storage.outputs.storageAccountName
	principals: rbac.value.principalId
	roleId: rbac.value.roleDefinitionId
	}
	}]
	param principals array
	param roleId string
	param storageAccountName string

	resource storageAccountResource 'Microsoft.Storage/storageAccounts@2021-06-01' existing = {
	name: storageAccountName
	}

	resource rbac 'Microsoft.Authorization/roleAssignments@2020-08-01-preview' = [for item in principals: {
	name: guid(item, roleId, storageAccountResource.id)
	scope: storageAccountResource
	properties:{
	principalId: item
	roleDefinitionId: roleId
	}
	}]
	param storageAccountName string
	var suffix = take(uniqueString(resourceGroup().id),5)
	var stName = 'st${storageAccountName}${suffix}'

	resource storageaccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
	name: stName
	location: resourceGroup().location
	kind: 'StorageV2'
	sku: {
	name: 'Standard_LRS'
	}
	}

	output storageAccountName string = storageaccount.name