Azure · AlexanderSehr · Jan 20, 2025 · Dec 21, 2024 · Dec 21, 2024 · Dec 23, 2024
@@ -13,6 +13,7 @@ This module deploys a Storage Account File Share Service.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
 | `Microsoft.Storage/storageAccounts/fileServices` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2023-04-01/storageAccounts/fileServices) |
 | `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2023-01-01/storageAccounts/fileServices/shares) |

@@ -13,6 +13,7 @@ This module deploys a Storage Account File Share.
 
 | Resource Type | API Version |
 | :-- | :-- |
+| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
 | `Microsoft.Storage/storageAccounts/fileServices/shares` | [2023-01-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Storage/2023-01-01/storageAccounts/fileServices/shares) |
 
 ## Parameters
@@ -100,6 +101,19 @@ Array of role assignments to create.
 
 - Required: No
 - Type: array
+- Roles configurable by name:
+  - `'Contributor'`
+  - `'Owner'`
+  - `'Reader'`
+  - `'Reader and Data Access'`
+  - `'Role Based Access Control Administrator'`
+  - `'Storage Account Backup Contributor'`
+  - `'Storage Account Contributor'`
+  - `'Storage Account Key Operator Service Role'`
+  - `'Storage File Data SMB Share Contributor'`
+  - `'Storage File Data SMB Share Elevated Contributor'`
+  - `'Storage File Data SMB Share Reader'`
+  - `'User Access Administrator'`
 
 **Required parameters**
 

@@ -43,6 +43,59 @@ import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType[]?
 
+var builtInRoleNames = {
+  Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
+  Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
+  Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
+  'Reader and Data Access': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'c12c1c16-33a1-487b-954d-41c89c60f349'
+  )
+  'Role Based Access Control Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
+  )
+  'Storage Account Backup Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'e5e2a7ff-d759-4cd2-bb51-3152d37e2eb1'
+  )
+  'Storage Account Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '17d1049b-9a84-46fb-8f53-869881c3d3ab'
+  )
+  'Storage Account Key Operator Service Role': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '81a9662b-bebf-436f-a333-f67b29880f12'
+  )
+  'Storage File Data SMB Share Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb'
+  )
+  'Storage File Data SMB Share Elevated Contributor': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'a7264617-510b-434b-a828-9731dc254ea7'
+  )
+  'Storage File Data SMB Share Reader': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    'aba4ae5f-2193-4029-9191-0cb91df5e314'
+  )
+  'User Access Administrator': subscriptionResourceId(
+    'Microsoft.Authorization/roleDefinitions',
+    '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
+  )
+}
+
+var formattedRoleAssignments = [
+  for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
+    roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
+        roleAssignment.roleDefinitionIdOrName,
+        '/providers/Microsoft.Authorization/roleDefinitions/'
+      )
+      ? roleAssignment.roleDefinitionIdOrName
+      : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
+  })
+]
+
 resource storageAccount 'Microsoft.Storage/storageAccounts@2023-04-01' existing = {
   name: storageAccountName
 
@@ -63,13 +116,22 @@ resource fileShare 'Microsoft.Storage/storageAccounts/fileServices/shares@2023-0
 }
 
 // NOTE: This is a workaround for a bug of the resource provider. Ref: https://github.com/Azure/bicep-types-az/issues/1532
-module fileShare_roleAssignments 'modules/nested_roleAssignment.bicep' = if (!empty(roleAssignments)) {
-  name: '${uniqueString(deployment().name)}-Share-Rbac'
-  params: {
-    fileShareResourceId: fileShare.id
-    roleAssignments: roleAssignments!
+module fileShare_roleAssignments './modules/nested_inner_roleAssignment.json' = [
+  for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
+    name: '${uniqueString(deployment().name)}-Share-Rbac-${index}'
+    params: {
+      scope: replace(fileShare.id, '/shares/', '/fileshares/')
+      name: roleAssignment.?name ?? guid(fileShare.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
+      roleDefinitionId: roleAssignment.roleDefinitionId
+      principalId: roleAssignment.principalId
+      principalType: roleAssignment.?principalType
+      condition: roleAssignment.?condition
+      conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
+      delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
+      description: roleAssignment.?description
+    }
   }
-}
+]
 
 @description('The name of the deployed file share.')
 output name string = fileShare.name