Adding RBAC constrained delegation parameters and guidance in the rol…

…eAssignment modules (#816)

* add rbac constrained delegation guidance

* Refactor role assignment condition code generation

* Generate Parameter Markdowns [sebassem/cfa6355d]

* update parameters files

* Refactor role assignment condition code generation

* Generate Parameter Markdowns [sebassem/cfa6355d]

* Refactor role assignment condition code generation

* reduce condition parameter description

* Generate Parameter Markdowns [sebassem/cfa6355d]

* Refactor role assignment condition code generation

* Generate Parameter Markdowns [sebassem/cfa6355d]

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>

infra-as-code/bicep/modules/roleAssignments/README.md

@@ -183,3 +183,38 @@ New-AzManagementGroupDeployment @inputObject
 ### Many Resource Group Role Assignments
 
 ![Bicep Visualizer - Many Resource Group Role Assignments](media/bicepVisualizerSubMany.png "Bicep Visualizer - Many Resource Group Role Assignments")
+
+## Role assignment delegation
+
+For each module, you can add a role assignment condition to securely delegate role assignments to others. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: (Owner, User Access Administrator and Role Based Access Control Administrator). To generate the condition code:
+
+- Create a role assignemnt with a condition from the portal for the privileged role that will be assigned.
+- Select the code view from the advanced editor and copy the condition's code.
+- Remove all newlines from the condition code.
+- Escape any single quote using a backslash (only in Bicep, no need in JSON parameters file).
+
+Example:
+
+```json
+"parRoleAssignmentNameGuid": {
+    "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+},
+"parRoleDefinitionId": {
+    "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+},
+"parAssigneePrincipalType": {
+    "value": "ServicePrincipal"
+},
+"parAssigneeObjectId": {
+    "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+},
+"parRoleAssignmentCondition": {
+    "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+},
+"parRoleAssignmentConditionVersion": {
+    "value": "2.0"
+},
+"parTelemetryOptOut": {
+    "value": false
+}
+```

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroup.bicep.md

@@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'
 
 ### parRoleAssignmentNameGuid
 
@@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry.
 
 - Default value: `False`
 
+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets
 
 ### Parameter file
@@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry.
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
         }
     }
 }

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentManagementGroupMany.bicep.md

@@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'
 
 ### parManagementGroupIds
 
@@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry
 
 - Default value: `False`
 
+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets
 
 ### Parameter file
@@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
         }
     }
 }

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroup.bicep.md

@@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'
 
 ### parRoleAssignmentNameGuid
 
@@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry.
 
 - Default value: `False`
 
+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets
 
 ### Parameter file
@@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry.
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
         }
     }
 }

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentResourceGroupMany.bicep.md

@@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'
 
 ### parResourceGroupIds
 
@@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry
 
 - Default value: `False`
 
+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets
 
 ### Parameter file
@@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
         }
     }
 }

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscription.bicep.md

@@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee. Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry.
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'
 
 ### parRoleAssignmentNameGuid
 
@@ -48,6 +50,20 @@ Set Parameter to true to Opt-out of deployment telemetry.
 
 - Default value: `False`
 
+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets
 
 ### Parameter file
@@ -74,6 +90,12 @@ Set Parameter to true to Opt-out of deployment telemetry.
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
         }
     }
 }

infra-as-code/bicep/modules/roleAssignments/generateddocs/roleAssignmentSubscriptionMany.bicep.md

@@ -11,6 +11,8 @@ parRoleDefinitionId | Yes      | Role Definition Id (i.e. GUID, Reader Role Defi
 parAssigneePrincipalType | Yes      | Principal type of the assignee.  Allowed values are 'Group' (Security Group) or 'ServicePrincipal' (Service Principal or System/User Assigned Managed Identity)
 parAssigneeObjectId | Yes      | Object ID of groups, service principals or managed identities. For managed identities use the principal id. For service principals, use the object ID and not the app ID
 parTelemetryOptOut | No       | Set Parameter to true to Opt-out of deployment telemetry
+parRoleAssignmentCondition | No       | The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+parRoleAssignmentConditionVersion | No       | Role assignment condition version. Currently the only accepted value is '2.0'
 
 ### parSubscriptionIds
 
@@ -46,6 +48,20 @@ Set Parameter to true to Opt-out of deployment telemetry
 
 - Default value: `False`
 
+### parRoleAssignmentCondition
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+The role assignment condition. Only built-in and custom RBAC roles with `Microsoft.Authorization/roleAssignments/write` and/or `Microsoft.Authorization/roleAssignments/delete` permissions can have a condition defined. Example: Owner, User Access Administrator and RBAC Administrator.
+
+### parRoleAssignmentConditionVersion
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Role assignment condition version. Currently the only accepted value is '2.0'
+
+- Default value: `2.0`
+
 ## Snippets
 
 ### Parameter file
@@ -72,6 +88,12 @@ Set Parameter to true to Opt-out of deployment telemetry
         },
         "parTelemetryOptOut": {
             "value": false
+        },
+        "parRoleAssignmentCondition": {
+            "value": ""
+        },
+        "parRoleAssignmentConditionVersion": {
+            "value": "2.0"
         }
     }
 }

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.managedIdentity.parameters.all.json

@@ -14,8 +14,14 @@
     "parAssigneeObjectId": {
       "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
     "parTelemetryOptOut": {
       "value": false
     }
   }
-}
+}

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.securityGroup.parameters.all.json

@@ -14,8 +14,14 @@
     "parAssigneeObjectId": {
       "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
     "parTelemetryOptOut": {
       "value": false
     }
   }
-}
+}

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroup.servicePrincipal.parameters.all.json

@@ -14,8 +14,14 @@
     "parAssigneeObjectId": {
       "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
     "parTelemetryOptOut": {
       "value": false
     }
   }
-}
+}

infra-as-code/bicep/modules/roleAssignments/parameters/roleAssignmentManagementGroupMany.managedIdentity.parameters.all.json

@@ -17,8 +17,14 @@
     "parAssigneeObjectId": {
       "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
     },
+    "parRoleAssignmentCondition": {
+      "value": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} AND @Resource[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'Group','ServicePrincipal'})))"
+    },
+    "parRoleAssignmentConditionVersion": {
+      "value": "2.0"
+    },
     "parTelemetryOptOut": {
       "value": false
     }
   }
-}
+}