feat (infra): [sec] support multiple principals when creating role assignments (#77)

ferantivero · web-flow · commit 6dbc507ae9a1 · 2025-10-14T10:24:02.000-05:00
* create new module to support multiple rbac principals * Revert "create new module to support multiple rbac principals" This reverts commit 29d76d7. * Address PR Feedback: extract cosmos db operator role assignment to a module * Address PR Feedback: extract agent storage account role assignments to a module * Address PR Feedback: extract ai search role assignments to a module * Address PR Feedback: extract cosmos db sql role assignments to a module * Address PR Feedback: add conditionality when conditions strings are empty * Address PR Feedback: dont use aifoundry as existing resource but pass project id as arg instead
diff --git a/infra-as-code/bicep/ai-foundry-project.bicep b/infra-as-code/bicep/ai-foundry-project.bicep
@@ -47,47 +47,6 @@ resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2024-12-01-previ
   resource dataContributorRole 'sqlRoleDefinitions' existing = {
     name: '00000000-0000-0000-0000-000000000002'
   }
-
-  @description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
-  resource projectUserThreadContainerWriter 'sqlRoleAssignments' = {
-    name: guid(aiFoundry::project.id, cosmosDbAccount::dataContributorRole.id, 'enterprise_memory', 'user')
-    properties: {
-      roleDefinitionId: cosmosDbAccount::dataContributorRole.id
-      principalId: aiFoundry::project.identity.principalId
-      scope: scopeUserContainerId
-    }
-    dependsOn: [
-      aiFoundry::project::aiAgentService
-    ]
-  }
-
-  @description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
-  resource projectSystemThreadContainerWriter 'sqlRoleAssignments' = {
-    name: guid(aiFoundry::project.id, cosmosDbAccount::dataContributorRole.id, 'enterprise_memory', 'system')
-    properties: {
-      roleDefinitionId: cosmosDbAccount::dataContributorRole.id
-      principalId: aiFoundry::project.identity.principalId
-      scope: scopeSystemContainerId
-    }
-    dependsOn: [
-      cosmosDbAccount::projectUserThreadContainerWriter // Single thread applying these permissions.
-      aiFoundry::project::aiAgentService
-    ]
-  }
-
-  @description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
-  resource projectEntityContainerWriter 'sqlRoleAssignments' = {
-    name: guid(aiFoundry::project.id, cosmosDbAccount::dataContributorRole.id, 'enterprise_memory', 'entities')
-    properties: {
-      roleDefinitionId: cosmosDbAccount::dataContributorRole.id
-      principalId: aiFoundry::project.identity.principalId
-      scope: scopeEntityContainerId
-    }
-    dependsOn: [
-      cosmosDbAccount::projectSystemThreadContainerWriter // Single thread applying these permissions.
-      aiFoundry::project::aiAgentService
-    ]
-  }
 }
 
 resource agentStorageAccount 'Microsoft.Storage/storageAccounts@2024-01-01' existing = {
@@ -273,58 +232,118 @@ resource aiFoundry 'Microsoft.CognitiveServices/accounts@2025-06-01' existing  =
 
 // Role assignments
 
-resource projectDbCosmosDbOperatorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(aiFoundry::project.id, cosmosDbOperatorRole.id, cosmosDbAccount.id)
-  scope: cosmosDbAccount
-  properties: {
+@description('Grant the AI Foundry Project managed identity Cosmos Db Db Operator user role permissions.')
+module projectDbCosmosDbOperatorAssignment './modules/cosmosdbRoleAssignment.bicep' = {
+  name: 'projectDbCosmosDbOperatorAssignmentDeploy'
+  params: {
     roleDefinitionId: cosmosDbOperatorRole.id
     principalId: aiFoundry::project.identity.principalId
-    principalType: 'ServicePrincipal'
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingCosmosDbAccountName: existingCosmosDbAccountName
   }
 }
 
-resource projectBlobDataContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(aiFoundry::project.id, storageBlobDataContributorRole.id, agentStorageAccount.id)
-  scope: agentStorageAccount
-  properties: {
+@description('Grant the AI Foundry Project managed identity Storage Account Blob Data Contributor user role permissions.')
+module projectBlobDataContributorAssignment './modules/storageAccountRoleAssignment.bicep' = {
+  name: 'projectBlobDataContributorAssignmentDeploy'
+  params: {
     roleDefinitionId: storageBlobDataContributorRole.id
     principalId: aiFoundry::project.identity.principalId
-    principalType: 'ServicePrincipal'
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingStorageAccountName: existingStorageAccountName
   }
 }
 
-resource projectBlobDataOwnerConditionalAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(aiFoundry::project.id, storageBlobDataOwnerRole.id, agentStorageAccount.id)
-  scope: agentStorageAccount
-  properties: {
-    principalId: aiFoundry::project.identity.principalId
+@description('Grant the AI Foundry Project managed identity Storage Account Blob Data Owner user role permissions.')
+module projectBlobDataOwnerConditionalAssignment './modules/storageAccountRoleAssignment.bicep' = {
+  name: 'projectBlobDataOwnerConditionalAssignmentDeploy'
+  params: {
     roleDefinitionId: storageBlobDataOwnerRole.id
-    principalType: 'ServicePrincipal'
+    principalId: aiFoundry::project.identity.principalId
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingStorageAccountName: existingStorageAccountName
     conditionVersion: '2.0'
     condition: '((!(ActionMatches{\'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read\'})  AND  !(ActionMatches{\'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action\'}) AND  !(ActionMatches{\'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write\'}) ) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringStartsWithIgnoreCase \'${workspaceIdAsGuid}\'))'
   }
 }
 
-resource projectAISearchContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(aiFoundry::project.id, azureAISearchServiceContributorRole.id, azureAISearchService.id)
-  scope: azureAISearchService
-  properties: {
+@description('Grant the AI Foundry Project managed identity AI Search Contributor user role permissions.')
+module projectAISearchContributorAssignment './modules/aiSearchRoleAssignment.bicep' = {
+  name: 'projectAISearchContributorAssignmentDeploy'
+  params: {
     roleDefinitionId: azureAISearchServiceContributorRole.id
     principalId: aiFoundry::project.identity.principalId
-    principalType: 'ServicePrincipal'
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingAISearchAccountName: existingAISearchAccountName
   }
 }
 
-resource projectAISearchIndexDataContributorAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(aiFoundry::project.id, azureAISearchIndexDataContributorRole.id, azureAISearchService.id)
-  scope: azureAISearchService
-  properties: {
+@description('Grant the AI Foundry Project managed identity AI Search Data Contributor user role permissions.')
+module projectAISearchIndexDataContributorAssignment './modules/aiSearchRoleAssignment.bicep' = {
+  name: 'projectAISearchIndexDataContributorAssignmentDeploy'
+  params: {
     roleDefinitionId: azureAISearchIndexDataContributorRole.id
     principalId: aiFoundry::project.identity.principalId
-    principalType: 'ServicePrincipal'
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingAISearchAccountName: existingAISearchAccountName
   }
 }
 
+// Sql Role Assignments
+
+@description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
+module projectUserThreadContainerWriterSqlAssignment './modules/cosmosdbSqlRoleAssignment.bicep' = {
+  name: 'projectUserThreadContainerWriterSqlAssignmentDeploy'
+  params: {
+    roleDefinitionId: cosmosDbAccount::dataContributorRole.id
+    principalId: aiFoundry::project.identity.principalId
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingCosmosDbAccountName: existingCosmosDbAccountName
+    existingCosmosDbName: 'enterprise_memory'
+    existingCosmosCollectionTypeName: 'user'
+    scopeUserContainerId: scopeUserContainerId
+  }
+  dependsOn: [
+    aiFoundry::project::aiAgentService
+  ]
+}
+
+@description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
+module projectSystemThreadContainerWriterSqlAssignment './modules/cosmosdbSqlRoleAssignment.bicep' = {
+  name: 'projectSystemThreadContainerWriterSqlAssignmentDeploy'
+  params: {
+    roleDefinitionId: cosmosDbAccount::dataContributorRole.id
+    principalId: aiFoundry::project.identity.principalId
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingCosmosDbAccountName: existingCosmosDbAccountName
+    existingCosmosDbName: 'enterprise_memory'
+    existingCosmosCollectionTypeName: 'system'
+    scopeUserContainerId: scopeSystemContainerId
+  }
+  dependsOn: [
+    aiFoundry::project::aiAgentService
+    projectUserThreadContainerWriterSqlAssignment // Single thread applying these permissions.
+  ]
+}
+
+@description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
+module projectEntityContainerWriterSqlAssignment './modules/cosmosdbSqlRoleAssignment.bicep' = {
+  name: 'projectEntityContainerWriterSqlAssignmentDeploy'
+  params: {
+    roleDefinitionId: cosmosDbAccount::dataContributorRole.id
+    principalId: aiFoundry::project.identity.principalId
+    existingAiFoundryProjectId: aiFoundry::project.id
+    existingCosmosDbAccountName: existingCosmosDbAccountName
+    existingCosmosDbName: 'enterprise_memory'
+    existingCosmosCollectionTypeName: 'entities'
+    scopeUserContainerId: scopeEntityContainerId
+  }
+  dependsOn: [
+    aiFoundry::project::aiAgentService
+    projectSystemThreadContainerWriterSqlAssignment // Single thread applying these permissions.
+  ]
+}
+  
 // ---- Outputs ----
 
 output aiAgentProjectName string = aiFoundry::project.name
diff --git a/infra-as-code/bicep/modules/aiSearchRoleAssignment.bicep b/infra-as-code/bicep/modules/aiSearchRoleAssignment.bicep
@@ -0,0 +1,36 @@
+/*
+  This template creates a role assignment for a managed identity to access indexes in AI Search.
+
+  To ensure that each deployment has a unique role assignment ID, you can use the guid() function with a seed value that is based in part on the
+  managed identity's principal ID. However, because Azure Resource Manager requires each resource's name to be available at the beginning of the deployment,
+  you can't use this approach in the same Bicep file that defines the managed identity. This sample uses a Bicep module to work around this issue.
+*/
+@description('The Id of the role definition.')
+param roleDefinitionId string
+
+@description('The principalId property of the managed identity.')
+param principalId string
+
+@description('The existing Azure AI Foundry Project Id.')
+@minLength(2)
+param existingAiFoundryProjectId string
+
+@description('The existing Azure AI Search account that is going to be used as the Azure AI Foundry Agent vector store (dependency).')
+@minLength(1)
+param existingAISearchAccountName string
+
+// ---- Existing resources ----
+resource azureAISearchService 'Microsoft.Search/searchServices@2025-02-01-preview' existing = {
+  name: existingAISearchAccountName
+}
+
+// ---- Role assignment ----
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, existingAiFoundryProjectId, azureAISearchService.id, principalId, roleDefinitionId)
+  scope: azureAISearchService
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
diff --git a/infra-as-code/bicep/modules/cosmosdbRoleAssignment.bicep b/infra-as-code/bicep/modules/cosmosdbRoleAssignment.bicep
@@ -0,0 +1,35 @@
+/*
+  This template creates a role assignment for a managed identity to access dbs in Cosmos Db.
+
+  To ensure that each deployment has a unique role assignment ID, you can use the guid() function with a seed value that is based in part on the
+  managed identity's principal ID. However, because Azure Resource Manager requires each resource's name to be available at the beginning of the deployment,
+  you can't use this approach in the same Bicep file that defines the managed identity. This sample uses a Bicep module to work around this issue.
+*/
+@description('The Id of the role definition.')
+param roleDefinitionId string
+
+@description('The principalId property of the managed identity.')
+param principalId string
+
+@description('The existing Azure AI Foundry Project Id.')
+@minLength(2)
+param existingAiFoundryProjectId string
+
+@description('The name of the existing Cosmos Db resource.')
+param existingCosmosDbAccountName string
+
+// ---- Existing resources ----
+resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2025-05-01-preview' existing = {
+  name: existingCosmosDbAccountName
+}
+
+// ---- Role assignment ----
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, existingAiFoundryProjectId, cosmosDbAccount.id, principalId, roleDefinitionId)
+  scope: cosmosDbAccount
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+  }
+}
diff --git a/infra-as-code/bicep/modules/cosmosdbSqlRoleAssignment.bicep b/infra-as-code/bicep/modules/cosmosdbSqlRoleAssignment.bicep
@@ -0,0 +1,45 @@
+/*
+  This template creates a sql role assignment for a managed identity to access dbs and containers in Cosmos Db.
+
+  To ensure that each deployment has a unique role assignment ID, you can use the guid() function with a seed value that is based in part on the
+  managed identity's principal ID. However, because Azure Resource Manager requires each resource's name to be available at the beginning of the deployment,
+  you can't use this approach in the same Bicep file that defines the managed identity. This sample uses a Bicep module to work around this issue.
+*/
+@description('The Id of the role definition.')
+param roleDefinitionId string
+
+@description('The principalId property of the managed identity.')
+param principalId string
+
+@description('The existing Azure AI Foundry Project Id.')
+@minLength(2)
+param existingAiFoundryProjectId string
+
+@description('The name of the existing Cosmos Db resource.')
+param existingCosmosDbAccountName string
+
+@description('The Cosmos Db name of the sql role assignment.')
+param existingCosmosDbName string
+
+@description('The Cosmos Db csontainer type name of the sql role assignment.')
+param existingCosmosCollectionTypeName string
+
+@description('The Id of the Scope of the sql role assignment.')
+param scopeUserContainerId string
+
+// ---- Existing resources ----
+resource cosmosDbAccount 'Microsoft.DocumentDB/databaseAccounts@2025-05-01-preview' existing = {
+  name: existingCosmosDbAccountName
+}
+
+// ---- Role assignment ----
+@description('Assign the project\'s managed identity the ability to read and write data in this collection within enterprise_memory database.')
+resource sqlRoleAssignment 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2025-05-01-preview' = {
+  name: guid(resourceGroup().id, existingAiFoundryProjectId, principalId, roleDefinitionId, existingCosmosDbName, existingCosmosCollectionTypeName)
+  parent: cosmosDbAccount
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+    scope: scopeUserContainerId
+  }
+}
diff --git a/infra-as-code/bicep/modules/storageAccountRoleAssignment.bicep b/infra-as-code/bicep/modules/storageAccountRoleAssignment.bicep
@@ -0,0 +1,44 @@
+/*
+  This template creates a role assignment for a managed identity to access blobs in Storage Account.
+
+  To ensure that each deployment has a unique role assignment ID, you can use the guid() function with a seed value that is based in part on the
+  managed identity's principal ID. However, because Azure Resource Manager requires each resource's name to be available at the beginning of the deployment,
+  you can't use this approach in the same Bicep file that defines the managed identity. This sample uses a Bicep module to work around this issue.
+*/
+@description('The Id of the role definition.')
+param roleDefinitionId string
+
+@description('The principalId property of the managed identity.')
+param principalId string
+
+@description('The existing Azure AI Foundry Project Id.')
+@minLength(2)
+param existingAiFoundryProjectId string
+
+@description('The existing Azure Storage account that is going to be used as the Azure AI Foundry Agent blob store (dependency).')
+@minLength(3)
+param existingStorageAccountName string
+
+@description('The Azure Storage account role assignment conditions version.')
+param conditionVersion string = ''
+
+@description('The Azure Storage account role assignment conditions.')
+param condition string = ''
+
+// ---- Existing resources ----
+resource agentStorageAccount 'Microsoft.Storage/storageAccounts@2025-01-01' existing = {
+  name: existingStorageAccountName
+}
+
+// ---- Role assignment ----
+resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(resourceGroup().id, existingAiFoundryProjectId, agentStorageAccount.id, principalId, roleDefinitionId)
+  scope: agentStorageAccount
+  properties: {
+    roleDefinitionId: roleDefinitionId
+    principalId: principalId
+    principalType: 'ServicePrincipal'
+    conditionVersion: conditionVersion != '' ? conditionVersion : null
+    condition: condition != '' ? condition : null
+  }
+}
