Create custom roles

info

Two pipelines will be created later: Export and "Plan and Apply". A custom role is required for each pipeline.

The following custom roles can be used to assign permissions for the service principals. The AssignableScopes will need to be updated for your tenant.

Read Access required by export and plan stages

read.json

{
  "Name": "Osservante RBAC - Read",
  "IsCustom": true,
  "Description": "Manage RBAC and Tags",
  "Actions": [
    "Microsoft.Authorization/roleAssignments/read",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
    "Microsoft.Resources/subscriptions/resources/read",
    "Microsoft.Resources/tags/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/OSX-MG-MAIN"
  ]
}

Write access used by the apply stage

apply.json

{
  "Name": "Osservante RBAC - Apply",
  "IsCustom": true,
  "Description": "Manage RBAC and Tags",
  "Actions": [
    "Microsoft.Authorization/roleAssignments/*",
    "Microsoft.Resources/subscriptions/resourceGroups/read",
    "Microsoft.Resources/subscriptions/resourceGroups/write",
    "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
    "Microsoft.Resources/subscriptions/resources/read",
    "Microsoft.Resources/tags/*"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/providers/Microsoft.Management/managementGroups/OSX-MG-MAIN"
  ]
}

Create Roles

The custom roles can be created by creating the files locally, and then using the following commands:

new-AzRoleDefinition -InputFile read.json
new-AzRoleDefinition -InputFile apply.json

info

This roles can be renamed in alignment with your naming standards.