Azure Question posted in
The official documentation to get you started can be found here.

Azure – What's the resource group equivalent of subscriptionResourceId and managementGroupResourceId in Bicep?

In Bicep, I can use subscriptionResourceId() or managementGroupResourceId() to refer to a resource at the subscription or management group level, respectively.

In the following code, I’m using subscriptionResourceId() to create a (RBAC) role assignment at the subscription level for a system-assigned managed identity and an Azure Key Vault:

resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(
    subscription().id,
    subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
  )
  scope: keyVault
  properties: {
    principalId: appServiceApp.identity.principalId
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '4633458b-17de-408a-b874-0445c86b69e6'
    )
  }
}

How would I get the resource’s resource group ID? The resourceId() function depends on the scope of the deployment, and so is ambiguous

Tags:

2

Answers


  1. 0

    How would I get the resource’s resource group ID?

    Here is the updated code to fetch the resourcegroup ID from a resource (app service) and assign a role to the app service identity at the resource group level.

    resource appService 'Microsoft.Web/sites@2020-06-01' existing = {
  name: 'samplevksb'
}
// Extract the resource group name from the Key Vault resource ID
var appserviceResourceGroupName = split(appService.id, '/')[4]
 
// Construct the resource group ID
var appserviceResourceGroupId = subscriptionResourceId('Microsoft.Resources/resourceGroups', appserviceResourceGroupName)
 
// Output the resource group ID of the Key Vault
output appserviceResourceGroupIdOutput string = appserviceResourceGroupId
 
resource keyVaultRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(
    appserviceResourceGroupId,
    subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')
  )
  scope: resourceGroup()
  properties: {
    principalId: '83-4afa99ea1946'
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '4633458b-17de-408a-b874-0445c86b69e6'
    )
  }
}

    Output:

    enter image description here

    After running the code, the role assignment has been assigned at the resource group level for the system-assigned managed identity.

    enter image description here

    Login or Signup to reply.
  2. 0

    If you’re operating within the scope of your resource, then you can just use resourceGroup().id to get the resource’s resource group ID right?

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search