Skip to content

Commit a227c95

Browse files
author
danycontre
committed
updates
1 parent dc3290c commit a227c95

File tree

4 files changed

+49
-63
lines changed

4 files changed

+49
-63
lines changed

workload/arm/deploy-baseline.json

Lines changed: 26 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
"_generator": {
66
"name": "bicep",
77
"version": "0.28.1.47646",
8-
"templateHash": "11957189839242396362"
8+
"templateHash": "8683268250512923004"
99
},
1010
"name": "AVD Accelerator - Baseline Deployment",
1111
"description": "AVD Accelerator - Deployment Baseline"
@@ -12049,7 +12049,7 @@
1204912049
"identityServiceProvider": {
1205012050
"value": "[parameters('avdIdentityServiceProvider')]"
1205112051
},
12052-
"securityPrincipalIds": "[if(not(empty(parameters('securityPrincipalId'))), createObject('value', array(parameters('securityPrincipalId'))), createObject('value', createArray()))]",
12052+
"securityPrincipalId": "[if(not(empty(parameters('securityPrincipalId'))), createObject('value', parameters('securityPrincipalId')), createObject('value', ''))]",
1205312053
"tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]",
1205412054
"alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]",
1205512055
"hostPoolAgentUpdateSchedule": {
@@ -12063,7 +12063,7 @@
1206312063
"_generator": {
1206412064
"name": "bicep",
1206512065
"version": "0.28.1.47646",
12066-
"templateHash": "16698304225040315361"
12066+
"templateHash": "2142854373500007534"
1206712067
}
1206812068
},
1206912069
"parameters": {
@@ -12091,8 +12091,8 @@
1209112091
"description": "The service providing domain services for Azure Virtual Desktop."
1209212092
}
1209312093
},
12094-
"securityPrincipalIds": {
12095-
"type": "array",
12094+
"securityPrincipalId": {
12095+
"type": "string",
1209612096
"metadata": {
1209712097
"description": "Identity ID to grant RBAC role to access AVD application group."
1209812098
}
@@ -12256,13 +12256,6 @@
1225612256
}
1225712257
},
1225812258
"variables": {
12259-
"copy": [
12260-
{
12261-
"name": "varRoleAssignments",
12262-
"count": "[length(parameters('securityPrincipalIds'))]",
12263-
"input": "[createArray(createObject('roleDefinitionIdOrName', 'Desktop Virtualization User', 'principalId', parameters('securityPrincipalIds')[copyIndex('varRoleAssignments')]))]"
12264-
}
12265-
],
1226612259
"varApplicaitonGroups": [
1226712260
{
1226812261
"name": "[parameters('applicationGroupName')]",
@@ -13829,6 +13822,14 @@
1382913822
"value": "[parameters('tags')]"
1383013823
},
1383113824
"applications": "[if(equals(variables('varApplicaitonGroups')[copyIndex()].applicationGroupType, 'RemoteApp'), createObject('value', variables('varRAppApplicationGroupsApps')), createObject('value', createArray()))]",
13825+
"roleAssignments": {
13826+
"value": [
13827+
{
13828+
"roleDefinitionIdOrName": "Desktop Virtualization User",
13829+
"principalId": "[parameters('securityPrincipalId')]"
13830+
}
13831+
]
13832+
},
1383213833
"diagnosticSettings": {
1383313834
"value": "[variables('varDiagnosticSetting')]"
1383413835
}
@@ -16334,7 +16335,7 @@
1633416335
"createStorageDeployment": {
1633516336
"value": "[variables('varCreateStorageDeployment')]"
1633616337
},
16337-
"securityPrincipalIds": "[if(not(empty(parameters('securityPrincipalId'))), createObject('value', array(parameters('securityPrincipalId'))), createObject('value', createArray()))]",
16338+
"securityPrincipalId": "[if(not(empty(parameters('securityPrincipalId'))), createObject('value', parameters('securityPrincipalId')), createObject('value', ''))]",
1633816339
"tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]"
1633916340
},
1634016341
"template": {
@@ -16344,7 +16345,7 @@
1634416345
"_generator": {
1634516346
"name": "bicep",
1634616347
"version": "0.28.1.47646",
16347-
"templateHash": "3451688091470705442"
16348+
"templateHash": "8942259551916348729"
1634816349
}
1634916350
},
1635016351
"parameters": {
@@ -16396,8 +16397,8 @@
1639616397
"description": "Required, The service providing domain services for Azure Virtual Desktop."
1639716398
}
1639816399
},
16399-
"securityPrincipalIds": {
16400-
"type": "array",
16400+
"securityPrincipalId": {
16401+
"type": "string",
1640116402
"metadata": {
1640216403
"description": "Required, Identity ID to grant RBAC role to access AVD application group."
1640316404
}
@@ -18533,14 +18534,10 @@
1853318534
]
1853418535
},
1853518536
{
18536-
"copy": {
18537-
"name": "storageSmbShareContributorRoleAssign",
18538-
"count": "[length(parameters('securityPrincipalIds'))]"
18539-
},
18540-
"condition": "[and(parameters('createStorageDeployment'), not(empty(parameters('securityPrincipalIds'))))]",
18537+
"condition": "[and(parameters('createStorageDeployment'), not(empty(parameters('securityPrincipalId'))))]",
1854118538
"type": "Microsoft.Resources/deployments",
1854218539
"apiVersion": "2022-09-01",
18543-
"name": "[format('Stora-SmbContri-RolAssign{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]",
18540+
"name": "[format('Stora-SmbContri-RolAssign{0}-{1}', take(format('{0}', parameters('securityPrincipalId')), 6), parameters('time'))]",
1854418541
"subscriptionId": "[format('{0}', parameters('subscriptionId'))]",
1854518542
"resourceGroup": "[format('{0}', parameters('storageObjectsRgName'))]",
1854618543
"properties": {
@@ -18553,7 +18550,7 @@
1855318550
"value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varStorageSmbShareContributorRole').id)]"
1855418551
},
1855518552
"principalId": {
18556-
"value": "[parameters('securityPrincipalIds')[copyIndex()]]"
18553+
"value": "[parameters('securityPrincipalId')]"
1855718554
}
1855818555
},
1855918556
"template": {
@@ -19113,14 +19110,10 @@
1911319110
}
1911419111
},
1911519112
{
19116-
"copy": {
19117-
"name": "aadIdentityLoginRoleAssign",
19118-
"count": "[length(parameters('securityPrincipalIds'))]"
19119-
},
19120-
"condition": "[and(equals(parameters('identityServiceProvider'), 'EntraID'), not(empty(parameters('securityPrincipalIds'))))]",
19113+
"condition": "[and(equals(parameters('identityServiceProvider'), 'EntraID'), not(empty(parameters('securityPrincipalId'))))]",
1912119114
"type": "Microsoft.Resources/deployments",
1912219115
"apiVersion": "2022-09-01",
19123-
"name": "[format('VM-Login-Comp-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]",
19116+
"name": "[format('VM-Login-Comp-{0}-{1}', take(format('{0}', parameters('securityPrincipalId')), 6), parameters('time'))]",
1912419117
"subscriptionId": "[format('{0}', parameters('subscriptionId'))]",
1912519118
"resourceGroup": "[format('{0}', parameters('computeObjectsRgName'))]",
1912619119
"properties": {
@@ -19133,7 +19126,7 @@
1913319126
"value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varVirtualMachineUserLoginRole').id)]"
1913419127
},
1913519128
"principalId": {
19136-
"value": "[parameters('securityPrincipalIds')[copyIndex()]]"
19129+
"value": "[parameters('securityPrincipalId')]"
1913719130
}
1913819131
},
1913919132
"template": {
@@ -19693,14 +19686,10 @@
1969319686
}
1969419687
},
1969519688
{
19696-
"copy": {
19697-
"name": "aadIdentityLoginAccessServiceObjects",
19698-
"count": "[length(parameters('securityPrincipalIds'))]"
19699-
},
19700-
"condition": "[and(equals(parameters('identityServiceProvider'), 'EntraID'), not(empty(parameters('securityPrincipalIds'))))]",
19689+
"condition": "[and(equals(parameters('identityServiceProvider'), 'EntraID'), not(empty(parameters('securityPrincipalId'))))]",
1970119690
"type": "Microsoft.Resources/deployments",
1970219691
"apiVersion": "2022-09-01",
19703-
"name": "[format('VM-Login-Serv-{0}-{1}', take(format('{0}', parameters('securityPrincipalIds')[copyIndex()]), 6), parameters('time'))]",
19692+
"name": "[format('VM-Login-Serv-{0}-{1}', take(format('{0}', parameters('securityPrincipalId')), 6), parameters('time'))]",
1970419693
"subscriptionId": "[format('{0}', parameters('subscriptionId'))]",
1970519694
"resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]",
1970619695
"properties": {
@@ -19713,7 +19702,7 @@
1971319702
"value": "[format('/subscriptions/{0}/providers/Microsoft.Authorization/roleDefinitions/{1}', parameters('subscriptionId'), variables('varVirtualMachineUserLoginRole').id)]"
1971419703
},
1971519704
"principalId": {
19716-
"value": "[parameters('securityPrincipalIds')[copyIndex()]]"
19705+
"value": "[parameters('securityPrincipalId')]"
1971719706
}
1971819707
},
1971919708
"template": {

workload/bicep/deploy-baseline.bicep

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -900,7 +900,7 @@ module managementPLane './modules/avdManagementPlane/deploy.bicep' = {
900900
startVmOnConnect: (avdHostPoolType == 'Pooled') ? varDeployScalingPlan : avdStartVmOnConnect
901901
workloadSubsId: avdWorkloadSubsId
902902
identityServiceProvider: avdIdentityServiceProvider
903-
securityPrincipalIds: !empty(securityPrincipalId)? array(securityPrincipalId): []
903+
securityPrincipalId: !empty(securityPrincipalId)? securityPrincipalId: ''
904904
tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
905905
alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : ''
906906
hostPoolAgentUpdateSchedule: varHostPoolAgentUpdateSchedule
@@ -927,7 +927,7 @@ module identity './modules/identity/deploy.bicep' = {
927927
enableStartVmOnConnect: avdStartVmOnConnect
928928
identityServiceProvider: avdIdentityServiceProvider
929929
createStorageDeployment: varCreateStorageDeployment
930-
securityPrincipalIds: !empty(securityPrincipalId)? array(securityPrincipalId): []
930+
securityPrincipalId: !empty(securityPrincipalId)? securityPrincipalId: ''
931931
tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags
932932
}
933933
dependsOn: [

workload/bicep/modules/avdManagementPlane/deploy.bicep

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ param computeTimeZone string
1616
param identityServiceProvider string
1717

1818
@sys.description('Identity ID to grant RBAC role to access AVD application group.')
19-
param securityPrincipalIds array
19+
param securityPrincipalId string
2020

2121
@sys.description('AVD OS image source.')
2222
param osImage string
@@ -182,15 +182,6 @@ var varDiagnosticSetting = [
182182
workspaceResourceId: alaWorkspaceResourceId
183183
}
184184
]
185-
var varRoleAssignments = [
186-
for securityPrincipalId in securityPrincipalIds : [
187-
{
188-
roleDefinitionIdOrName: 'Desktop Virtualization User'
189-
principalId: securityPrincipalId
190-
//principalType: 'Group'
191-
}
192-
]
193-
]
194185

195186
// =========== //
196187
// Deployments Commercial//
@@ -236,7 +227,13 @@ module applicationGroups '../../../../avm/1.0.0/res/desktop-virtualization/appli
236227
hostpoolName: hostPoolName
237228
tags: tags
238229
applications: (applicationGroup.applicationGroupType == 'RemoteApp') ? varRAppApplicationGroupsApps : []
239-
//roleAssignments: varRoleAssignments
230+
roleAssignments: [
231+
{
232+
roleDefinitionIdOrName: 'Desktop Virtualization User'
233+
principalId: securityPrincipalId
234+
//principalType: 'Group'
235+
}
236+
]
240237
diagnosticSettings: varDiagnosticSetting
241238
}
242239
dependsOn: [

workload/bicep/modules/identity/deploy.bicep

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ param enableStartVmOnConnect bool
2828
param identityServiceProvider string
2929

3030
@sys.description('Required, Identity ID to grant RBAC role to access AVD application group.')
31-
param securityPrincipalIds array
31+
param securityPrincipalId string
3232

3333
@sys.description('Deploy scaling plan.')
3434
param deployScalingPlan bool
@@ -136,34 +136,34 @@ module storageContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authoriza
136136
}]
137137

138138
// Storage File Data SMB Share Contributor
139-
module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (createStorageDeployment && (!empty(securityPrincipalIds))) {
140-
name: 'Stora-SmbContri-RolAssign${take('${appGroupIdentitiesId}', 6)}-${time}'
139+
module storageSmbShareContributorRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = if (createStorageDeployment && (!empty(securityPrincipalId))) {
140+
name: 'Stora-SmbContri-RolAssign${take('${securityPrincipalId}', 6)}-${time}'
141141
scope: resourceGroup('${subscriptionId}', '${storageObjectsRgName}')
142142
params: {
143143
roleDefinitionIdOrName: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${varStorageSmbShareContributorRole.id}'
144-
principalId: appGroupIdentitiesId
144+
principalId: securityPrincipalId
145145
}
146-
}]
146+
}
147147

148148
// Virtual machine Microsoft Entra ID access roles on the compute resource group
149-
module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'EntraID' && !empty(securityPrincipalIds)) {
150-
name: 'VM-Login-Comp-${take('${appGroupIdentitiesId}', 6)}-${time}'
149+
module aadIdentityLoginRoleAssign '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = if (identityServiceProvider == 'EntraID' && !empty(securityPrincipalId)) {
150+
name: 'VM-Login-Comp-${take('${securityPrincipalId}', 6)}-${time}'
151151
scope: resourceGroup('${subscriptionId}', '${computeObjectsRgName}')
152152
params: {
153153
roleDefinitionIdOrName: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${varVirtualMachineUserLoginRole.id}'
154-
principalId: appGroupIdentitiesId
154+
principalId: securityPrincipalId
155155
}
156-
}]
156+
}
157157

158158
// Virtual machine Microsoft Entra ID access roles on the service objects resource group
159-
module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = [for appGroupIdentitiesId in securityPrincipalIds: if (identityServiceProvider == 'EntraID' && !empty(securityPrincipalIds)) {
160-
name: 'VM-Login-Serv-${take('${appGroupIdentitiesId}', 6)}-${time}'
159+
module aadIdentityLoginAccessServiceObjects '../../../../carml/1.3.0/Microsoft.Authorization/roleAssignments/resourceGroup/deploy.bicep' = if (identityServiceProvider == 'EntraID' && !empty(securityPrincipalId)) {
160+
name: 'VM-Login-Serv-${take('${securityPrincipalId}', 6)}-${time}'
161161
scope: resourceGroup('${subscriptionId}', '${serviceObjectsRgName}')
162162
params: {
163163
roleDefinitionIdOrName: '/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${varVirtualMachineUserLoginRole.id}'
164-
principalId: appGroupIdentitiesId
164+
principalId: securityPrincipalId
165165
}
166-
}]
166+
}
167167

168168
// =========== //
169169
// Outputs //

0 commit comments

Comments
 (0)