Role assignment support

sdk/provisioning/Azure.Provisioning/api/Azure.Provisioning.net6.0.cs

@@ -90,9 +90,10 @@ protected Resource(Azure.Provisioning.IConstruct scope, Azure.Provisioning.Resou
         public Azure.Provisioning.Resource? Parent { get { throw null; } }
         public Azure.Provisioning.IConstruct Scope { get { throw null; } }
         public string Version { get { throw null; } }
-        public Azure.Provisioning.Authorization.RoleAssignment AssignRole(Azure.Provisioning.Authorization.RoleDefinition roleDefinition, System.Guid? principalId = default(System.Guid?)) { throw null; }
         protected virtual Azure.Provisioning.Resource? FindParentInScope(Azure.Provisioning.IConstruct scope) { throw null; }
         protected virtual string GetAzureName(Azure.Provisioning.IConstruct scope, string resourceName) { throw null; }
+        protected virtual bool NeedsParent() { throw null; }
+        protected virtual bool NeedsScope() { throw null; }
         Azure.Provisioning.Resource System.ClientModel.Primitives.IPersistableModel<Azure.Provisioning.Resource>.Create(System.BinaryData data, System.ClientModel.Primitives.ModelReaderWriterOptions options) { throw null; }
         string System.ClientModel.Primitives.IPersistableModel<Azure.Provisioning.Resource>.GetFormatFromOptions(System.ClientModel.Primitives.ModelReaderWriterOptions options) { throw null; }
         System.BinaryData System.ClientModel.Primitives.IPersistableModel<Azure.Provisioning.Resource>.Write(System.ClientModel.Primitives.ModelReaderWriterOptions options) { throw null; }
@@ -154,9 +155,15 @@ public enum WebSiteRuntime
 }
 namespace Azure.Provisioning.Authorization
 {
+    public static partial class AuthorizationExtensions
+    {
+        public static Azure.Provisioning.Authorization.RoleAssignment AssignRole(this Azure.Provisioning.Resource resource, Azure.Provisioning.Authorization.RoleDefinition roleDefinition, System.Guid? principalId = default(System.Guid?)) { throw null; }
+    }
     public partial class RoleAssignment : Azure.Provisioning.Resource<Azure.ResourceManager.Authorization.RoleAssignmentData>
     {
         internal RoleAssignment() : base (default(Azure.Provisioning.IConstruct), default(Azure.Provisioning.Resource), default(string), default(Azure.Core.ResourceType), default(string), default(System.Func<string, Azure.ResourceManager.Authorization.RoleAssignmentData>)) { }
+        protected override bool NeedsParent() { throw null; }
+        protected override bool NeedsScope() { throw null; }
     }
     [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
     public readonly partial struct RoleDefinition : System.IEquatable<Azure.Provisioning.Authorization.RoleDefinition>

sdk/provisioning/Azure.Provisioning/api/Azure.Provisioning.netstandard2.0.cs

@@ -90,9 +90,10 @@ protected Resource(Azure.Provisioning.IConstruct scope, Azure.Provisioning.Resou
         public Azure.Provisioning.Resource? Parent { get { throw null; } }
         public Azure.Provisioning.IConstruct Scope { get { throw null; } }
         public string Version { get { throw null; } }
-        public Azure.Provisioning.Authorization.RoleAssignment AssignRole(Azure.Provisioning.Authorization.RoleDefinition roleDefinition, System.Guid? principalId = default(System.Guid?)) { throw null; }
         protected virtual Azure.Provisioning.Resource? FindParentInScope(Azure.Provisioning.IConstruct scope) { throw null; }
         protected virtual string GetAzureName(Azure.Provisioning.IConstruct scope, string resourceName) { throw null; }
+        protected virtual bool NeedsParent() { throw null; }
+        protected virtual bool NeedsScope() { throw null; }
         Azure.Provisioning.Resource System.ClientModel.Primitives.IPersistableModel<Azure.Provisioning.Resource>.Create(System.BinaryData data, System.ClientModel.Primitives.ModelReaderWriterOptions options) { throw null; }
         string System.ClientModel.Primitives.IPersistableModel<Azure.Provisioning.Resource>.GetFormatFromOptions(System.ClientModel.Primitives.ModelReaderWriterOptions options) { throw null; }
         System.BinaryData System.ClientModel.Primitives.IPersistableModel<Azure.Provisioning.Resource>.Write(System.ClientModel.Primitives.ModelReaderWriterOptions options) { throw null; }
@@ -154,9 +155,15 @@ public enum WebSiteRuntime
 }
 namespace Azure.Provisioning.Authorization
 {
+    public static partial class AuthorizationExtensions
+    {
+        public static Azure.Provisioning.Authorization.RoleAssignment AssignRole(this Azure.Provisioning.Resource resource, Azure.Provisioning.Authorization.RoleDefinition roleDefinition, System.Guid? principalId = default(System.Guid?)) { throw null; }
+    }
     public partial class RoleAssignment : Azure.Provisioning.Resource<Azure.ResourceManager.Authorization.RoleAssignmentData>
     {
         internal RoleAssignment() : base (default(Azure.Provisioning.IConstruct), default(Azure.Provisioning.Resource), default(string), default(Azure.Core.ResourceType), default(string), default(System.Func<string, Azure.ResourceManager.Authorization.RoleAssignmentData>)) { }
+        protected override bool NeedsParent() { throw null; }
+        protected override bool NeedsScope() { throw null; }
     }
     [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
     public readonly partial struct RoleDefinition : System.IEquatable<Azure.Provisioning.Authorization.RoleDefinition>

sdk/provisioning/Azure.Provisioning/src/Resource.cs

@@ -193,16 +193,6 @@ private void ValidateOverrideCanBeAdded(object instance, string name)
             }
         }
 
-        /// <summary>
-        /// Assigns a role to the resource.
-        /// </summary>
-        /// <param name="roleDefinition">The role definition.</param>
-        /// <param name="principalId">The principal ID.</param>
-        public RoleAssignment AssignRole(RoleDefinition roleDefinition, Guid? principalId = default)
-        {
-            return new RoleAssignment(Scope, this, roleDefinition, principalId);
-        }
-
         /// <summary>
         /// Adds an output to the resource.
         /// </summary>
@@ -310,21 +300,23 @@ private BinaryData SerializeModule(ModelReaderWriterOptions options)
             return new BinaryData(stream.GetBuffer().AsMemory(0, (int)stream.Position));
         }
 
-        private bool NeedsParent()
+        /// <summary>
+        /// Determines whether the resource needs a parent declaration.
+        /// </summary>
+        /// <returns>Whether the resource needs a parent.</returns>
+        protected virtual bool NeedsParent()
         {
-            return this is not (Subscription or RoleAssignment) &&
-                   Parent is not null && Parent is not (ResourceGroup or Subscription or RoleAssignment);
+            return this is not Subscription && Parent is not null && Parent is not (ResourceGroup or Subscription);
         }
 
-        private bool NeedsScope()
+        /// <summary>
+        /// Determines whether the resource needs a scope declaration.
+        /// </summary>
+        /// <returns>Whether the resource needs a scope.</returns>
+        protected virtual bool NeedsScope()
         {
             Debug.Assert(ModuleScope != null, "ModuleScope should not be null");
 
-            if (this is RoleAssignment)
-            {
-                return true;
-            }
-
             switch (Parent)
             {
                 case ResourceGroup _:

sdk/provisioning/Azure.Provisioning/src/authorization/AuthorizationExtensions.cs

@@ -0,0 +1,24 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+
+namespace Azure.Provisioning.Authorization
+{
+    /// <summary>
+    /// Extension methods for authorization.
+    /// </summary>
+    public static class AuthorizationExtensions
+    {
+        /// <summary>
+        /// Assigns a role to the resource.
+        /// </summary>
+        /// <param name="resource">The resource.</param>
+        /// <param name="roleDefinition">The role definition.</param>
+        /// <param name="principalId">The principal ID.</param>
+        public static RoleAssignment AssignRole(this Resource resource, RoleDefinition roleDefinition, Guid? principalId = default)
+        {
+            return new RoleAssignment(resource, roleDefinition, principalId);
+        }
+    }
+}

sdk/provisioning/Azure.Provisioning/src/authorization/RoleAssignment.cs

@@ -15,30 +15,21 @@ public class RoleAssignment : Resource<RoleAssignmentData>
     {
         internal static readonly ResourceType ResourceType = "Microsoft.Resources/roleAssignments";
 
-        /// <summary>
-        /// Initializes a new instance of the <see cref="RoleAssignment"/>.
-        /// </summary>
-        /// <param name="scope">The scope.</param>
-        /// <param name="resource"></param>
-        /// <param name="roleDefinition"></param>
-        /// <param name="principalId"></param>
         internal RoleAssignment(
-            IConstruct scope,
             Resource resource,
             RoleDefinition roleDefinition,
             Guid? principalId = default)
             : base(
-                scope,
+                resource.Scope,
                 resource,
                 resource.Name,
                 ResourceType,
                 "2022-04-01",
                 (name) => ArmAuthorizationModelFactory.RoleAssignmentData(
                     name: name,
-                    roleDefinitionId: ResourceIdentifier.Parse($"/providers/Microsoft.Authorization/roleDefinitions/{roleDefinition}"),
                     principalId: principalId))
         {
-            if (scope.Configuration?.UseInteractiveMode != true && principalId == null)
+            if (resource.Scope.Configuration?.UseInteractiveMode != true && principalId == null)
             {
                 throw new InvalidOperationException("PrincipalId must be specified when not in interactive mode.");
             }
@@ -52,6 +43,13 @@ internal RoleAssignment(
             {
                 AssignProperty(data => data.Name, $"guid('{resource.Name}', '{principalId}', '{roleDefinition}')");
             }
+            AssignProperty(data => data.RoleDefinitionId, $"subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '{roleDefinition}')");
         }
+
+        /// <inheritdoc />
+        protected override bool NeedsScope() => true;
+
+        /// <inheritdoc />
+        protected override bool NeedsParent() => false;
     }
 }

sdk/provisioning/Azure.Provisioning/tests/Infrastructure/RoleAssignmentWithParameter/main.bicep

@@ -7,7 +7,7 @@ param location string = resourceGroup().location
 param principalId string
 
 
-resource storageAccount_d1RlrfJGB 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+resource storageAccount_jW2g4ryFz 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: toLower(take(concat('photoAcct', uniqueString(resourceGroup().id)), 24))
   location: location
   sku: {
@@ -18,18 +18,18 @@ resource storageAccount_d1RlrfJGB 'Microsoft.Storage/storageAccounts@2022-09-01'
   }
 }
 
-resource blobService_tjgcRkcbL 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
-  parent: storageAccount_d1RlrfJGB
+resource blobService_a6I9rA4wm 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
+  parent: storageAccount_jW2g4ryFz
   name: 'default'
   properties: {
   }
 }
 
-resource roleAssignment_XCw6aC1YR 'Microsoft.Resources/roleAssignments@2022-04-01' = {
-  scope: storageAccount_d1RlrfJGB
-  name: guid('storageAccount_d1RlrfJGB', principalId, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+resource roleAssignment_nQO6JfG3m 'Microsoft.Resources/roleAssignments@2022-04-01' = {
+  scope: storageAccount_jW2g4ryFz
+  name: guid('storageAccount_jW2g4ryFz', principalId, 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
   properties: {
-    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
     principalId: principalId
   }
 }

sdk/provisioning/Azure.Provisioning/tests/Infrastructure/RoleAssignmentWithoutParameter/resources/rg_TEST_module/rg_TEST_module.bicep

@@ -1,5 +1,5 @@
 
-resource storageAccount_sox2Wv7OW 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+resource storageAccount_yf7XmHSXv 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: toLower(take(concat('photoAcct', uniqueString(resourceGroup().id)), 24))
   location: 'westus'
   sku: {
@@ -10,18 +10,18 @@ resource storageAccount_sox2Wv7OW 'Microsoft.Storage/storageAccounts@2022-09-01'
   }
 }
 
-resource blobService_hX2D4quIR 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
-  parent: storageAccount_sox2Wv7OW
+resource blobService_KtI9ejh0g 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
+  parent: storageAccount_yf7XmHSXv
   name: 'default'
   properties: {
   }
 }
 
-resource roleAssignment_VB5BZKLW5 'Microsoft.Resources/roleAssignments@2022-04-01' = {
-  scope: storageAccount_sox2Wv7OW
-  name: guid('storageAccount_sox2Wv7OW', '00000000-0000-0000-0000-000000000000', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+resource roleAssignment_m0SeNoTiU 'Microsoft.Resources/roleAssignments@2022-04-01' = {
+  scope: storageAccount_yf7XmHSXv
+  name: guid('storageAccount_yf7XmHSXv', '00000000-0000-0000-0000-000000000000', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
   properties: {
-    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
     principalId: '00000000-0000-0000-0000-000000000000'
   }
 }

sdk/provisioning/Azure.Provisioning/tests/Infrastructure/RoleAssignmentWithoutParameterInteractiveMode/main.bicep

@@ -4,7 +4,7 @@ targetScope = 'resourceGroup'
 param location string = resourceGroup().location
 
 
-resource storageAccount_RFwKam5MV 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+resource storageAccount_XJNeT6Eti 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: toLower(take(concat('photoAcct', uniqueString(resourceGroup().id)), 24))
   location: location
   sku: {
@@ -15,18 +15,18 @@ resource storageAccount_RFwKam5MV 'Microsoft.Storage/storageAccounts@2022-09-01'
   }
 }
 
-resource blobService_cIUg9iT7j 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
-  parent: storageAccount_RFwKam5MV
+resource blobService_A96Cuv27c 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
+  parent: storageAccount_XJNeT6Eti
   name: 'default'
   properties: {
   }
 }
 
-resource roleAssignment_4Wo9FVPss 'Microsoft.Resources/roleAssignments@2022-04-01' = {
-  scope: storageAccount_RFwKam5MV
-  name: guid('storageAccount_RFwKam5MV', '00000000-0000-0000-0000-000000000000', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
+resource roleAssignment_5PbYbRPAD 'Microsoft.Resources/roleAssignments@2022-04-01' = {
+  scope: storageAccount_XJNeT6Eti
+  name: guid('storageAccount_XJNeT6Eti', '00000000-0000-0000-0000-000000000000', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
   properties: {
-    roleDefinitionId: '/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe'
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'ba92f5b4-2d11-453d-a403-e96b0029c9fe')
     principalId: '00000000-0000-0000-0000-000000000000'
   }
 }

sdk/provisioning/Azure.Provisioning/tests/Infrastructure/StorageBlobDefaults/resources/rg_TEST_module/rg_TEST_module.bicep

@@ -1,5 +1,5 @@
 
-resource storageAccount_8QqXaM2M1 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+resource storageAccount_9QJmTy7qm 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: toLower(take(concat('photoAcct', uniqueString(resourceGroup().id)), 24))
   location: 'westus'
   sku: {
@@ -10,8 +10,8 @@ resource storageAccount_8QqXaM2M1 'Microsoft.Storage/storageAccounts@2022-09-01'
   }
 }
 
-resource blobService_oZmRpQk1D 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
-  parent: storageAccount_8QqXaM2M1
+resource blobService_Km5lqfZ5q 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
+  parent: storageAccount_9QJmTy7qm
   name: 'default'
   properties: {
   }

sdk/provisioning/Azure.Provisioning/tests/Infrastructure/StorageBlobDefaultsInPromptMode/main.bicep

@@ -4,7 +4,7 @@ targetScope = 'resourceGroup'
 param location string = resourceGroup().location
 
 
-resource storageAccount_cU8v6cAqM 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+resource storageAccount_a667SUhwI 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: toLower(take(concat('photoAcct', uniqueString(resourceGroup().id)), 24))
   location: location
   sku: {
@@ -15,8 +15,8 @@ resource storageAccount_cU8v6cAqM 'Microsoft.Storage/storageAccounts@2022-09-01'
   }
 }
 
-resource blobService_QhDlnWma3 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
-  parent: storageAccount_cU8v6cAqM
+resource blobService_N2udHKIHx 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
+  parent: storageAccount_a667SUhwI
   name: 'default'
   properties: {
   }

sdk/provisioning/Azure.Provisioning/tests/Infrastructure/StorageBlobDropDown/resources/rg_TEST_module/rg_TEST_module.bicep

@@ -1,5 +1,5 @@
 
-resource storageAccount_9uo2memqT 'Microsoft.Storage/storageAccounts@2022-09-01' = {
+resource storageAccount_0KMvPm04J 'Microsoft.Storage/storageAccounts@2022-09-01' = {
   name: toLower(take(concat('photoAcct', uniqueString(resourceGroup().id)), 24))
   location: 'westus'
   sku: {
@@ -10,8 +10,8 @@ resource storageAccount_9uo2memqT 'Microsoft.Storage/storageAccounts@2022-09-01'
   }
 }
 
-resource blobService_1gFXR9AUz 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
-  parent: storageAccount_9uo2memqT
+resource blobService_pCgUv484K 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
+  parent: storageAccount_0KMvPm04J
   name: 'default'
   properties: {
     deleteRetentionPolicy: {