Add a custom role for accessing batch account

deploy/README.md

@@ -126,8 +126,22 @@ Following is the list of resource-groups and resources that should be created if
 
         Wait for all pools to complete resizing before moving to the next steps.
 
-        Note: The Bicep template adds the Synapse workspace's Managed Identity to the Batch Account as `Contributor`. Alternatively, Custom Role Definitions can be used to assign the Synapse workspace's Managed Identity to the Batch Account with required Azure RBAC operations.
-
+        Note: The Bicep template adds the Synapse workspace's Managed Identity to the Batch Account with a Custom Role Access.
+
+        Following is the default list of permissions assigned to the custom role created.
+        ```
+        Microsoft.Batch/batchAccounts/pools/write
+        Microsoft.Batch/batchAccounts/pools/read
+        Microsoft.Batch/batchAccounts/pools/delete
+        Microsoft.Batch/batchAccounts/read
+        Microsoft.Batch/batchAccounts/listKeys/action
+        Microsoft.Batch/batchAccounts/jobSchedules/write
+        Microsoft.Batch/batchAccounts/jobSchedules/delete
+        Microsoft.Batch/batchAccounts/jobSchedules/read
+        Microsoft.Batch/batchAccounts/jobs/write
+        Microsoft.Batch/batchAccounts/jobs/delete
+        Microsoft.Batch/batchAccounts/jobs/read
+        ```
     - Keyvault named `aoi-orc-kv`.
     - User managed identity `aoi-orc-umi` for access and authentication.
     - Azure Container registry instance named `aoiorcacr` to store container images.

deploy/infra/groups/orchestration.bicep

@@ -9,13 +9,6 @@ param location string
 
 param synapseMIPrincipalId string
 
-// Guid to role definitions to be used during role
-// assignments including the below roles definitions:
-// Contributor
-param synapseMIBatchAccountRoles array = [
-  'b24988ac-6180-42a0-ab88-20f7382dd24c'
-]
-
 // Name parameters for infrastructure resources
 param orchestrationResourceGroupName string = ''
 param keyvaultName string = ''
@@ -161,14 +154,21 @@ module uami '../modules/managed.identity.user.bicep' = {
   }
 }
 
+module batchAccountCustomRole '../modules/batch.account.custom.role.bicep' = {
+  name: '${namingPrefix}-batch-account-custom-role'
+  scope: subscription()
+  params: {
+    batchAccountName: toLower(batchAccountNameVar)
+  }
+}
+
 module batchAccount '../modules/batch.account.bicep' = {
   name: '${namingPrefix}-batch-account'
   params: {
     environmentName: environmentTag
     location: location
     batchAccountName: toLower(batchAccountNameVar)
     userManagedIdentityId: uami.outputs.uamiId
-    userManagedIdentityPrincipalId: uami.outputs.uamiPrincipalId
     allowedAuthenticationModes: batchAccountPoolAllocationMode == 'BatchService' ? allowedAuthenticationModesBatchSvc : allowedAuthenticationModesUsrSub
     autoStorageAuthenticationMode: batchAccountAutoStorageAuthenticationMode
     autoStorageAccountName: batchAccountAutoStorageAccountNameVar
@@ -183,17 +183,29 @@ module batchAccount '../modules/batch.account.bicep' = {
   ]
 }
 
-module synapseIdentityForBatchAccess '../modules/batch.account.role.assignment.bicep' = [ for role in synapseMIBatchAccountRoles: {
-  name: '${namingPrefix}-batch-account-role-assgn'
+module synapseIdentityForBatchAccess '../modules/batch.account.role.assignment.bicep' = {
+  name: '${namingPrefix}-batch-account-synapse-role-assign'
   params: {
-    resourceName: toLower(batchAccountNameVar)
+    batchAccountName: toLower(batchAccountNameVar)
     principalId: synapseMIPrincipalId
-    roleDefinitionId: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/${role}'
+    roleDefinitionId: batchAccountCustomRole.outputs.batchAccountCustomRoleName
   }
   dependsOn: [
     batchAccount
   ]
-}]
+}
+
+module userManagedIdentityForBatchAccess '../modules/batch.account.role.assignment.bicep' = {
+  name: '${namingPrefix}-batch-account-umi-role-assign'
+  params: {
+    batchAccountName: toLower(batchAccountNameVar)
+    principalId: uami.outputs.uamiPrincipalId
+    roleDefinitionId: batchAccountCustomRole.outputs.batchAccountCustomRoleName
+  }
+  dependsOn: [
+    batchAccount
+  ]
+}
 
 module batchAccountPoolCheck '../modules/batch.account.pool.exists.bicep' = {
   name: '${namingPrefix}-batch-account-pool-exists'
@@ -207,6 +219,7 @@ module batchAccountPoolCheck '../modules/batch.account.pool.exists.bicep' = {
   dependsOn: [
     batchAccountAutoStorageAccount
     batchAccount
+    userManagedIdentityForBatchAccess
   ]
 }
 
@@ -232,6 +245,7 @@ module batchAccountCpuOnlyPool '../modules/batch.account.pools.bicep' = {
   dependsOn: [
     batchAccountAutoStorageAccount
     batchAccount
+    userManagedIdentityForBatchAccess
     batchAccountPoolCheck
   ]
 }

deploy/infra/modules/batch.account.bicep

@@ -16,8 +16,6 @@ param autoStorageAuthenticationMode string = 'StorageKeys'
 param autoStorageAccountName string
 param poolAllocationMode string = 'BatchService'
 param publicNetworkAccess bool = true 
-param assignRoleToUserManagedIdentity string = 'Owner'
-param userManagedIdentityPrincipalId string
 
 param objIdForPolicy string = 'f520d84c-3fd3-4cc8-88d4-2ed25b00d27a'
 
@@ -96,19 +94,4 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2021-06-01' = {
   ]
 }
 
-var role = {
-  owner: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635'
-  contributor: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
-  reader: '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7'
-}
-
-resource assignRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
-  name: guid(batchAccount.id, userManagedIdentityPrincipalId, role[toLower(assignRoleToUserManagedIdentity)])
-  scope: batchAccount
-  properties: {
-    principalId: userManagedIdentityPrincipalId
-    roleDefinitionId: role[toLower(assignRoleToUserManagedIdentity)]
-  }
-}
-
 output batchAccountId string = batchAccount.id

deploy/infra/modules/batch.account.custom.role.bicep

@@ -0,0 +1,37 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+targetScope = 'subscription'
+
+param batchAccountName string
+param allowedActions array = [
+  'Microsoft.Batch/batchAccounts/pools/write'
+  'Microsoft.Batch/batchAccounts/pools/read'
+  'Microsoft.Batch/batchAccounts/pools/delete'
+  'Microsoft.Batch/batchAccounts/read'
+  'Microsoft.Batch/batchAccounts/listKeys/action'
+]
+param allowedDataActions array = [
+  'Microsoft.Batch/batchAccounts/jobSchedules/write'
+  'Microsoft.Batch/batchAccounts/jobSchedules/delete'
+  'Microsoft.Batch/batchAccounts/jobSchedules/read'
+  'Microsoft.Batch/batchAccounts/jobs/write'
+  'Microsoft.Batch/batchAccounts/jobs/delete'
+  'Microsoft.Batch/batchAccounts/jobs/read'
+]
+param deniedActions array = []
+param deniedDataActions array = []
+
+module batchAccountCustomRole './custom.role.bicep' = {
+  name: 'custom-role-for-${batchAccountName}'
+  params: {
+    roleName: 'custom-role-for-${batchAccountName}'
+    roleDescription: 'Custom Role for Accessing Batch Accounts'
+    allowedActions: allowedActions
+    allowedDataActions: allowedDataActions
+    deniedActions: deniedActions
+    deniedDataActions: deniedDataActions
+  }
+}
+
+output batchAccountCustomRoleName string = batchAccountCustomRole.outputs.customRoleID

deploy/infra/modules/batch.account.role.assignment.bicep

@@ -4,17 +4,17 @@
 param principalId string
 param roleDefinitionId string
 
-param resourceName string
+param batchAccountName string
 
-param roleAssignmentId string = guid(principalId, roleDefinitionId, resourceName)
+param roleAssignmentId string = guid(principalId, roleDefinitionId, batchAccountName)
 
-resource existingResource 'Microsoft.Batch/batchAccounts@2021-06-01' existing = {
-  name: resourceName
+resource batchAccount 'Microsoft.Batch/batchAccounts@2021-06-01' existing = {
+  name: batchAccountName
 }
 
-resource symbolicname 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
+resource assignRole 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
   name: roleAssignmentId
-  scope: existingResource
+  scope: batchAccount
   properties: {
     principalId: principalId
     roleDefinitionId: roleDefinitionId

deploy/infra/modules/custom.role.bicep

@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+targetScope = 'subscription'
+
+param roleName string
+param roleDescription string = ''
+param allowedActions array = []
+param allowedDataActions array = []
+param deniedActions array = []
+param deniedDataActions array = []
+
+resource customRole 'Microsoft.Authorization/roleDefinitions@2018-01-01-preview' = {
+  name: guid(roleName)
+  properties: {
+    description: roleDescription
+    assignableScopes: [
+      subscription().id
+    ]
+    permissions: [
+      {
+        actions: allowedActions
+        dataActions: allowedDataActions
+        notActions: deniedActions
+        notDataActions: deniedDataActions
+      }
+    ]
+    roleName: roleName
+    type: 'CustomRole'
+  }
+}
+
+output customRoleID string = customRole.id