Private/arm.ps1
function Add-RKAADRole { [CmdletBinding()] param( [string]$ObjectId, [string]$Scope, [string]$RoleDefinitionName ) Write-Verbose "Add-RKAADRole - checking for objectId: $ObjectId, role: $RoleDefinitionName, scope: $Scope" $Exists = Get-AzRoleAssignment -ObjectId $ObjectId -RoleDefinitionName $RoleDefinitionName -Scope $Scope if ($Exists) { Write-Verbose "Assignment for objectId: $ObjectId, role: $RoleDefinitionName, scope: $Scope already exists" } else { New-AzRoleAssignment -ObjectId $ObjectId -RoleDefinitionName $RoleDefinitionName -Scope $Scope | Out-Null } } function Confirm-RKRole { [CmdletBinding()] param([string]$RoleDefinitionName) if (!(Get-AzRoleDefinition -Name $RoleDefinitionName)) { throw "Role $RoleDefinitionName is not valid" } else { return $true } } function Get-RKResourceMSI { [CmdletBinding()] param([string]$ResourceId) $App = Get-AzResource -ResourceId $ResourceId if (!($App)) { Write-Error "Resource $ResourceId not found" } return $App.Identity.PrincipalId } function Set-RKRbacPermission { [CmdletBinding()] param([PSCustomObject]$Permission) Write-Host "Attempting Set-RKRbacPermission: Type: '$($Permission.principalType)', Name: '$($Permission.principalName)', Role: '$($Permission.role)', Scope: '$($Permission.scope)'" $objectId = Get-RKAADObjectId -ObjectType $Permission.principalType -DisplayName $Permission.principalName if ($objectId) { Confirm-RKRole $Permission.role | Out-Null $exists = Confirm-RKArmResourceIdExists $Permission.scope if ($exists -eq $true) { Add-RKAADRole -ObjectId $objectId -RoleDefinitionName $Permission.role -Scope $Permission.scope } } else { Write-Warning "Object not found ($($Permission.principalType) $($Permission.principalName))" } } |