Bicep Friendly Role Names

This time in our tech tips series we talk about Bicep RBAC roles. If you are using Bicep to create Azure resources, you might have encountered a situation where you need to assign in Bicep Azure built-in roles to a parameter. However, the Bicep syntax for role assignments requires you to use the role definition ID, which is a GUID value. This makes the code painful to read and maintain.

To fix this annoyance, you can use the following PowerShell script that creates a Bicep file with a variable for each built-in role:

# Run the Azure CLI command to list role definitions and store the output in a variable
$roleDefinitions = az role definition list | ConvertFrom-Json

# Initialize the output string with the opening of the Roles object
$output = "@export()`nvar Roles = {"

# Loop through each role definition to construct the body of the Roles object
foreach ($role in $roleDefinitions) {
    # Remove characters not allowed in variable names and construct the line
    $roleName = $role.roleName -replace '[()./-]', '' -replace ' ', ''
    $output += "`n    ${roleName}: '$($role.name)'"
}

# Close the Roles object
$output += "`n}"

# Output to a file
$output | Out-File -FilePath roletypes.bicep

The script fetches all the current roles, removes special characters and adds them to the Roles variable.

Now you could take the roletypes.bicep in use in your Bicep by importing it like this:

@description('List of all Azure RBAC roles')
import {
  Roles
} from 'roletypes.bicep'

And now where you would need to pass a role, you can do it like this:

roleDefinitionIds: [
  Roles.Owner
]

You might want to run the script periodically to get the latest Bicep Azure built-in roles added.