Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > ARM template failing on assigning RBAC role
 
  • Post
  • Reply
MJP
Jun 17, 2007

Are you looking at me Senpai?

Grimey Drawer
Any Azure types here? I could use a hand with an issue I'm having on a template.

The template's purpose is to create a resource group using a bunch of parameters to give it a name, then to assign the built-in Contributor RBAC role to a security group specified as another parameter. When I deploy the template, either through the Azure portal or via New-AzSubscriptionDeployment, I get the following error:

Could not find member 'roleDefinitionId' on object of type 'ResourceGroupPropertiesDefinition'. Path 'properties.roleDefinitionId'

Anyone know what I'm doing incorrectly? The section of the offending template is below, with redactions for any possible company stuff.

code:
"resources": [

    {

      "type": "Microsoft.Resources/resourceGroups",

      "apiVersion": "2019-10-01",

      "name": "[variables('resourceGroupName')]",

      "location": "[parameters('resourceGroupLocation')]",

      "tags": {

        "TechContact":"[parameters('technicalcontact')]",

        "BusinessUnit":"[parameters('businessUnit')]",

        "costCenter":"[parameters('CostCenter')]"

      },

      "properties": {

      "roleDefinitionId":"[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', parameters('roleDefinitionId'))]",

      "principalId": "[parameters('principalId')]",

      "scope": "[subscriptionResourceId('Microsoft.Resources/resourceGroups', variables('resourceGroupName'))]"

      }

* # ? Dec 14, 2020 15:41
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 3, 2024 18:26
  • Quote
Zephirus
May 18, 2004

BRRRR......CHK
I don't think you should have anything in properties.

The way you are expected to set role assignments is with a separate role assignment arm resource targeted to the resource group's id.

see: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-template

for your own sanity you may want to consider managing role assignments in something that isn't arm templates like terraform or ansible or your IAC tool of choice.

* # ? Apr 24, 2021 16:49
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > ARM template failing on assigning RBAC role