/// <summary>
/// Specifies that applications running on an Azure service with this identity requires
/// the access role with scope of access limited to an ARM resource.
/// </summary>
/// <param name="resourceId">scope of the access represented in ARM resource ID format.</param>
/// <param name="role">Access role to assigned to the virtual machine.</param>
/// <return>RoleAssignmentHelper.</return>
public RoleAssignmentHelper WithAccessTo(string resourceId, BuiltInRole role)
{
string key = resourceId.ToLower() + "_" + role.ToString().ToLower();
if (!this.rolesToAssign.ContainsKey(key))
{
this.rolesToAssign.Add(key, new System.Tuple <string, BuiltInRole>(resourceId, role));
}
return(this);
}
/// <summary>
/// Creates RBAC role assignments for the service principal exposed by IdProvider.
/// </summary>
/// <param name="cancellationToken"></param>
/// <returns>The task with value as list of created role assignments</returns>
private async Task <List <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> > CreateRbacRoleAssignmentsAsync(CancellationToken cancellationToken = default(CancellationToken))
{
List <IRoleAssignment> roleAssignments = new List <IRoleAssignment>();
if (!this.rolesToAssign.Any() &&
!this.roleDefinitionsToAssign.Any())
{
return(roleAssignments);
}
else if (this.idProvider.PrincipalId == null)
{
return(roleAssignments);
}
else
{
try
{
ResolveCurrentResourceGroupScope();
var roleAssignments1 = await Task.WhenAll(rolesToAssign.Values.Select(async(scopeAndRole) =>
{
BuiltInRole role = scopeAndRole.Item2;
string scope = scopeAndRole.Item1;
return(await CreateRbacRoleAssignmentIfNotExistsAsync(role.ToString(), scope, true, cancellationToken));
}));
roleAssignments.AddRange(roleAssignments1);
var roleAssignments2 = await Task.WhenAll(roleDefinitionsToAssign.Values.Select(async(scopeAndRole) =>
{
string roleDefinition = scopeAndRole.Item2;
string scope = scopeAndRole.Item1;
return(await CreateRbacRoleAssignmentIfNotExistsAsync(roleDefinition, scope, false, cancellationToken));
}));
roleAssignments.AddRange(roleAssignments2);
return(roleAssignments.FindAll(roleAssignment => roleAssignment != null));
}
finally
{
this.rolesToAssign.Clear();
this.roleDefinitionsToAssign.Clear();
}
}
}
/// <summary>
/// Creates a RBAC role assignment (using role or role definition) for the service principal exposed by IdProvider.
/// </summary>
/// <param name="roleOrRoleDefinition">The role or role definition.</param>
/// <param name="scope">The scope for the role assignment.</param>
/// <return>the role assignment if it is created, null if assignment already exists.</return>
private async Task <Microsoft.Azure.Management.Graph.RBAC.Fluent.IRoleAssignment> CreateRbacRoleAssignmentIfNotExistsAsync(string roleOrRoleDefinition, string scope, bool isRole, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(this.idProvider.PrincipalId))
{
throw new ArgumentNullException("idProvider.PrincipalId");
}
string roleAssignmentName = SdkContext.RandomGuid();
try
{
if (isRole)
{
return(await rbacManager
.RoleAssignments
.Define(roleAssignmentName)
.ForObjectId(this.idProvider.PrincipalId)
.WithBuiltInRole(BuiltInRole.Parse(roleOrRoleDefinition))
.WithScope(scope)
.CreateAsync(cancellationToken));
}
else
{
return(await rbacManager
.RoleAssignments
.Define(roleAssignmentName)
.ForObjectId(this.idProvider.PrincipalId)
.WithRoleDefinition(roleOrRoleDefinition)
.WithScope(scope)
.CreateAsync(cancellationToken));
}
}
catch (CloudException cloudException)
{
if (cloudException.Body != null && cloudException.Body.Code != null && cloudException.Body.Code.Equals("RoleAssignmentExists", StringComparison.OrdinalIgnoreCase))
{
// NOTE: We are unable to lookup the role assignment from principal.RoleAssignments() list
// because role assignment object does not contain 'role' name (the roleDefinitionId refer
// 'role' using id with GUID).
return(null);
}
throw cloudException;
}
}
public ServicePrincipalImpl WithNewRoleInSubscription(BuiltInRole role, string subscriptionId)
{
this.assignedSubscription = subscriptionId;
return(WithNewRole(role, "subscriptions/" + subscriptionId));
}
public ServicePrincipalImpl WithNewRoleInResourceGroup(BuiltInRole role, IResourceGroup resourceGroup)
{
return(WithNewRole(role, resourceGroup.Id));
}
public ServicePrincipalImpl WithNewRole(BuiltInRole role, string scope)
{
this.rolesToCreate.Add(scope, role);
return(this);
}
public RoleAssignmentImpl WithBuiltInRole(BuiltInRole role)
{
this.roleName = role.Value;
return(this);
}
/// <summary>
/// Assigns a new role to the service principal.
/// </summary>
/// <param name="role">The role to assign to the service principal.</param>
/// <param name="scope">The scope the service principal can access.</param>
/// <return>The next stage of the service principal definition.</return>
ServicePrincipal.Definition.IWithCreate ServicePrincipal.Definition.IWithRoleAssignmentBeta.WithNewRole(BuiltInRole role, string scope)
{
return(this.WithNewRole(role, scope) as ServicePrincipal.Definition.IWithCreate);
}
/// <summary>
/// Assigns a new role to the service principal.
/// </summary>
/// <param name="role">The role to assign to the service principal.</param>
/// <param name="subscriptionId">The subscription the service principal can access.</param>
/// <return>The next stage of the service principal definition.</return>
ServicePrincipal.Definition.IWithCreate ServicePrincipal.Definition.IWithRoleAssignmentBeta.WithNewRoleInSubscription(BuiltInRole role, string subscriptionId)
{
return(this.WithNewRoleInSubscription(role, subscriptionId) as ServicePrincipal.Definition.IWithCreate);
}
/// <summary>
/// Assigns a new role to the service principal.
/// </summary>
/// <param name="role">The role to assign to the service principal.</param>
/// <param name="resourceGroup">The resource group the service principal can access.</param>
/// <return>The next stage of the service principal definition.</return>
ServicePrincipal.Definition.IWithCreate ServicePrincipal.Definition.IWithRoleAssignmentBeta.WithNewRoleInResourceGroup(BuiltInRole role, IResourceGroup resourceGroup)
{
return(this.WithNewRoleInResourceGroup(role, resourceGroup) as ServicePrincipal.Definition.IWithCreate);
}
/// <summary>
/// Assigns a new role to the service principal.
/// </summary>
/// <param name="role">The role to assign to the service principal.</param>
/// <param name="scope">The scope the service principal can access.</param>
/// <return>The next stage of the service principal update.</return>
ServicePrincipal.Update.IUpdate ServicePrincipal.Update.IWithRoleAssignmentBeta.WithNewRole(BuiltInRole role, string scope)
{
return(this.WithNewRole(role, scope) as ServicePrincipal.Update.IUpdate);
}
/// <summary>
/// Specifies the name of a built in role for this assignment.
/// </summary>
/// <param name="role">The name of the role.</param>
/// <return>The next stage in role assignment definition.</return>
RoleAssignment.Definition.IWithScope RoleAssignment.Definition.IWithRole.WithBuiltInRole(BuiltInRole role)
{
return(this.WithBuiltInRole(role) as RoleAssignment.Definition.IWithScope);
}
/// <summary>
/// Assigns a new role to the service principal.
/// </summary>
/// <param name="role">The role to assign to the service principal.</param>
/// <param name="subscriptionId">The subscription the service principal can access.</param>
/// <return>The next stage of the service principal update.</return>
ServicePrincipal.Update.IUpdate ServicePrincipal.Update.IWithRoleAssignmentBeta.WithNewRoleInSubscription(BuiltInRole role, string subscriptionId)
{
return(this.WithNewRoleInSubscription(role, subscriptionId));
}
/// <summary>
/// Assigns a new role to the service principal.
/// </summary>
/// <param name="role">The role to assign to the service principal.</param>
/// <param name="resourceGroup">The resource group the service principal can access.</param>
/// <return>The next stage of the service principal update.</return>
ServicePrincipal.Update.IUpdate ServicePrincipal.Update.IWithRoleAssignmentBeta.WithNewRoleInResourceGroup(BuiltInRole role, IResourceGroup resourceGroup)
{
return(this.WithNewRoleInResourceGroup(role, resourceGroup));
}
/// <summary>
/// Specifies that applications running on an Azure service with this identity requires
/// the given access role with scope of access limited to the current resource group that
/// the identity resides.
/// </summary>
/// <param name="role">Access role to assigned to the identity.</param>
/// <return>RoleAssignmentHelper.</return>
public RoleAssignmentHelper WithAccessToCurrentResourceGroup(BuiltInRole role)
{
return(this.WithAccessTo(CURRENT_RESOURCE_GROUP_SCOPE, role));
}